EXPERT RESPONSE
You can run Snort in a scenario like this, but that doesn't mean that you should. In the case you're describing, my biggest fear is that you're taking a FreeBSD server and asking it to act in three roles: a server, a router and an intrusion detection system (IDS). This is OK in a bootstrap environment, but if you're at the point where you're running a data center with 24-port switches, I wouldn't encourage it.
I'd recommend that you obtain specialized devices to fill each role on your network. It's a best practice to have a dedicated router filing the router role, and it'll be better yet if you can purchase a hardware router, rather than building one on a FreeBSD server. Similarly, you should have a separate device acting as your IDS sensor.
The reason for all of this? Minimizing complexity. A more complex networking environment increases the chances of something going wrong and makes it more difficult to troubleshoot network problems.
More information:
Check out SearchSecurity.com's Snort Intrusion Detection and Prevention Guide.
Scott Sidel gives his take on Snort as an network intrusion defense tool.
|
