The point of least security is where your Snort box or the box doing the analysis is connected to a nonsecure environment (possibly your LAN). In your case, I would say having the second config, all on one box is more secure - provided it had the LAN card removed. The LAN card would be the point of least security in both setups as it's an open, configured interface to the network.
The best Snort config you could get (AFAIK) would be to put a box with just one NIC, unconfigured, onto the place you want to watch. Any direct network access to the box would be a possible point of weakness.
And in fact, if you chose the split configuration with a new, private LAN between the Snort PC and the ACID one, there's another possible chance for an attacker to gain access.
Last edited by Technonotice; 06-20-2004 at 09:13 AM.
|