On Tue, May 08, 2007 at 06:29:41PM +0400, Akshay Lamba wrote: > I've been thinking, given a firewall on a network that's pretty much > locked down tight other than a openvpn port, do I really need an IDS/IPS > like snort or should I just let it be? > > What kind of resources does snort take? The box in question is really > just an old desktop doubling as my home server now.
That really depends on how critical you consider your system. Firewalls can be hacked themselves, too. A few years back, bugs have been frequently found in the pcap library that virtually allows to crack any application that sniffs packets from the network interface under Linux. Unlike on some other systems these tools typically run as root, so... In your setup snort won't probably be able to look into the VPN traffic. However, when you outgoing traffic is more or less unrestricted, snort can help you detecting attacks running from your network, such as viruses scanning the Internet or your parents hacking military installations. If that's not something you would be happy to know, you're better off without it. Dirk. -- The truth is an offense, but not a sin
