Can Snort be configured with a FreeBSD router?
My FreeBSD router has 2 NIC cards: one connected to the data feed from the data center, the other connected to a 24-port switch. Can I install a tool like Snort in this scenario? If so, what are some configuration challenges that I might run into?
in a scenario like this, but that doesn't mean that you should
. In the case you're describing, my biggest fear is that you're taking a FreeBSD server and asking it to act in three roles: a server, a router and an intrusion detection system (IDS)
. This is OK in a bootstrap environment, but if you're at the point where you're running a data center with 24-port switches, I wouldn't encourage it.
I'd recommend that you obtain specialized devices to fill each role on your network. It's a best practice to have a dedicated router filing the router role, and it'll be better yet if you can purchase a hardware router, rather than building one on a FreeBSD server. Similarly, you should have a separate device acting as your IDS sensor.
The reason for all of this? Minimizing complexity. A more complex networking environment increases the chances of something going wrong and makes it more difficult to troubleshoot network problems.
More information:Check out SearchSecurity.com's Snort Intrusion Detection and Prevention Guide.
Scott Sidel gives his take on Snort as an network intrusion defense tool.
This was first published in August 2007