Hello,
Consider a LAN like below:
Where is the best place to put Suricata-IDS?
Thank you.
If you see everything that you want to look into at the Core Switch, a Breakout at the Core Switch is the first choice. The outer Switch could be a nice addition.
If there are direct connections that skip the core switch you might want to add those as well for lateral movement.
2 Likes
Thank you.
Can you specify what you mean on the diagram? I mean is places where Suricata-IDS should be located.
As I said, on the Core Switch (dark blue) I would see the most important location, while the others are helpful as well.
So I suggest to start with a Suricata instance that receives the traffic from the Core Switch (via Mirror Port or whatever the Switch provides for traffic mirroring)
1 Like
Excuse me, what is your opinion about it:
Switch —> Firewall —> Suricata-IDS —> Core Switch
This can be one option, will cover all outgoing/incoming (filtered) traffic towards your core.
2 Likes