Snort on LAN (beginner)



  • Good day,

    Snort on LAN and not WAN?
    I found this question being asked several times on this forum and general consensus was "go with Snort on LAN if using NAT".
    PLEASE FORGIVE me for bringing this up yet one more time. I am trying to wrap my head around this and by creating a silly post obviously having issue with that.
    In layman's terms, my understanding is that I want to block the bad guys' attempts to compromise network (DDOS for example) on the WAN part of the firewall, before getting to LAN.
    So Why LAN?
    Am I misunderstanding IPS completely? or above is the firewall's job?

    My home network is very simple:

    PCs
      |
    LAN (172.16.0.0)
      |
    pfSense
      |
    WAN (192.168.0.0)
      |
    ISP Router
      |
    Internet

    I have double NAT going on, maybe this is where I am getting confused.
    Thank you very much!



  • You kinda always need a firewall in front/inline.
    Otherwise you would be processing malicious packets sent against your IDS
    or jsut processing useless packets that a firewall could have drop faster.

    To block ports,ip,protocol = firewall
    To block domains,url,user agent = proxy
    To block patterns, evasion/obfuscation kunfu, malware, deep packet inspection with complex regex = IDS

    F.


Log in to reply