Firewalling gateways and IDS's

Posted by Scott Davies on Server Fault See other posts from Server Fault or by Scott Davies
Published on 2009-10-06T05:30:36Z Indexed on 2010/03/17 14:01 UTC
Read the original article Hit count: 393

Hi,

For IDS, I plan to have a Win 2008 server running on the gateway with the majority of roles disabled. I plan to firewall the Internet connection, but I'd also like to install Snort to work as an IDS. However, I am guessing that regardless of the Snort install of the promiscuous Winpcap driver, I won't be able to monitor ports that the firewall blocks. My thinking is that chain of flow is:

Internet->Firewall on Win 2008->Winpcap->Snort->internal network

Is there a way to still monitor services that the firewall will block (i.e. TCP 445 SMB) ? Perhaps run the data through Snort and then through the firewall ?

Thanks

© Server Fault or respective owner

Related posts about snort

Related posts about ids