Link to home
Start Free TrialLog in
Avatar of bondee
bondee

asked on

Snort and ASA 5510 combination

I'm wondering if I can use snort and ASA 5510 combination for IDS purpose.

The reason for that is my ASA 5510 doesn't have IPS/IDS module and I want to use free IDS from Snort with Ubuntu.

Is this good practice? Or is there any other way that I can implement same idea?
The topology would be
Internet -- ASA 5510 -- Snort on Ubutu -- Switch -- Users
or
Internet -- ASA 5510 -- Switch -- Users / Snort on Ubutu

Without using the expensive IPD/IDS module from Cisco, this seems to be the best idea that I can have IDS features such as monitoring and logging.

Thank you for your helpful comments on this in advance.
Avatar of norgetek
norgetek
Flag of United States of America image


Snort is great way to get familiar with IDS/IPS technology without having to spend capital budget.

I would recommend for your initial foray into this to utilize a SPAN / Mirror port on your switch that the inside interface of the ASA connects to and mirror it to the Ubuntu system that Snort is running on.  This will be an IDS design that will not be able to drop packets but also will have less change of impacting Internet connectivity while you are getting used to things.

Also with this setup you will need to network interfaces on the Ubuntu system.  One of the mirror destination and one for normal access.

Once you have it up and running you will have to spend a fair bit of time at first in "tuning" your signature set.

SOLUTION
Avatar of FirstSentinel
FirstSentinel
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bondee
bondee

ASKER

So, if I summarize your comments ;

The best bet is to put Snort between ASA 5510 and Switch(if only one can be used) and also to use web interface such as BASE. And using SPAN is not recommended for work environment but it's good for testing.

Let me have a little bit time to research BASE. Thank you for your ideas.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bondee

ASKER

Than you both FirstSentinel and norgetek for your helpful comments on this.

Like norgetek says I'll try first and do inline configuration later once I get used to Snort.

I appreciate it.