https://community.cisco.com/t5/network-security/can-i-put-my-external-facing-servers-in-external-net-of-a/m-p/4102229#M1070983 <P>I have a range of IP's which are assigned for Internet facing servers. I had already defined all of my HOME_NET in which I also included publicly addressable internal IPs which I would like to monitor. However I had not added these external facing network ranges to the HOME_NET. I rather thought of adding them in the EXTERNAL_NET's excluded category. This ensures that, these IP's are not part of the internal network and are also not part of the external networks either. I believe it is safe to say that anything in the excluded category of EXTERNAL_NET can be called as an unprotected network.&nbsp;</P><P>The question is, did I configured it right? If there is an attack on one of the external facing server which is open on 80 and 443, for a signature such as "<SPAN>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS</SPAN><SPAN>" I should be triggered only when the attack reaches an IP from the HOME_NET (159.x.x.x -&gt; 192.168.x.x). Will this cause any conflicts? Is this even the right way of defining our external facing/internet facing networks?</SPAN></P> Fri, 12 Jun 2020 13:13:42 GMT nemanas 2020-06-12T13:13:42Z https://community.cisco.com/t5/network-security/can-i-put-my-external-facing-servers-in-external-net-of-a/m-p/4102229#M1070983 <P>I have a range of IP's which are assigned for Internet facing servers. I had already defined all of my HOME_NET in which I also included publicly addressable internal IPs which I would like to monitor. However I had not added these external facing network ranges to the HOME_NET. I rather thought of adding them in the EXTERNAL_NET's excluded category. This ensures that, these IP's are not part of the internal network and are also not part of the external networks either. I believe it is safe to say that anything in the excluded category of EXTERNAL_NET can be called as an unprotected network.&nbsp;</P><P>The question is, did I configured it right? If there is an attack on one of the external facing server which is open on 80 and 443, for a signature such as "<SPAN>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS</SPAN><SPAN>" I should be triggered only when the attack reaches an IP from the HOME_NET (159.x.x.x -&gt; 192.168.x.x). Will this cause any conflicts? Is this even the right way of defining our external facing/internet facing networks?</SPAN></P> Fri, 12 Jun 2020 13:13:42 GMT https://community.cisco.com/t5/network-security/can-i-put-my-external-facing-servers-in-external-net-of-a/m-p/4102229#M1070983 nemanas 2020-06-12T13:13:42Z https://community.cisco.com/t5/network-security/can-i-put-my-external-facing-servers-in-external-net-of-a/m-p/4102257#M1070984 <P>Hello,</P><P>&nbsp;</P><P>It sounds like this is North-South traffic, in which case you will actually want to include your public facing servers in the HOME_NET so that the Snort signatures can detect inbound attacks against your servers. Basically, HOME_NET should contain everything you want to protect and EXTERNAL_NET should be viewed as where an attack might come from.</P><P>&nbsp;</P><P>I suggest including all the subnets you own in HOME_NET and then setting the EXTERNAL_NET to exclude HOME_NET.</P><P>&nbsp;</P><P>Here is a link to a Cisco Live presentation which contains some good information on variable sets:</P><P><A href="https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-2066.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-2066.pdf</A></P><P>&nbsp;</P> Fri, 12 Jun 2020 14:11:07 GMT https://community.cisco.com/t5/network-security/can-i-put-my-external-facing-servers-in-external-net-of-a/m-p/4102257#M1070984 JohnLong3 2020-06-12T14:11:07Z