Opinions are my own and not those of my employer.

While it’s been 6 years since I left Cisco to join Google, it’s interesting to realize that even back then, the 2 companies approached network security in very different ways.

Snort and Enterprise Network Security

I previously worked at SourceFire (which was acquired by Cisco) on their network security equipment. Their core software, Snort, is effectively a deep packet inspection tool with pattern matching (it’s a lot more, but that is the high-level). Snort relies on seeing packet data to work effectively. I very much believed in the product during my tenure (and continued to after I left).

Snort normally lives on the edge of your network (or sometimes between major hubs/sites of a network) to look for oddities. I loved the description that it is antivirus for the network. While the official it’s an IPS / IDS (Intrusion [Prevention/Detection] System), I would use the antivirus analogy when talking with non-IT nerds. It can give insights to find bad traffic on a network, but it also takes a lot of work for a network administrator to set up and tune properly for a network (due to Snort issuing lots of false positives with default configs).

The core issue with this Snort is that is relies on being able to see the network traffic. With LetsEncrypt making TLS certs easy and QUIC encrypting all its traffic, almost everything is encrypted today. For Snort to be able to decrypt traffic on the web, you need to MitM to feed unencrypted traffic to Snort. Doing this in an office or at home requires non-trivial tools to intercept all connections, or having a proxy so no traffic can egress unless it goes through that host.

Zero Trust Network

Google subscribes to the zero trust network principle, which it has implemented under the name of BeyondCorp (2014 whitepaper on it). There are many solutions out there to help implement this, with Tailscale (based on wireguard) looking like another implementation of this.

The enterprise network model tends to be more open once you’re past the perimeter (which is why it tends to be easy to pwn an entire company once a hacker inside). The weakest link in your network can let a hacker potentially access the entire thing. Though, many systems will have other types of ACL to prevent access, it’s not a core principle of the network.

For zero trust, one hard part is that every node in your “network” now has to do its own authorization checks for all requests. Meaning all hosts you connect to will need to do these checks or have some kind of proxy in-front of it to do these checks. It just leads to more work overall when setting up a network. The advantage is that the weakest link in your network will just let that one system get compromised (hopefully).

Do They Mix?

This is where I’m out of my depth. Snort is really just one of many tools in the classic enterprise security model. But Zero Trust brings with it that you can’t trust anything except a given host, so all traffic likely needs to be encrypted. To me, this seems as if they won’t play nicely with how Snort is designed today.

This says they do not mix, but really the shift needs to be endpoint security. Meaning that any security measures need to be on a per-host basis. There are many forms of this out there, but it seems like where security really needs to live at this point. This can be packet capture or anti-virus, but something needs to live here.

Snort may still have a role in simple protocol level detection, but getting rid of the deep packet inspect parts of it. At this point you are really just looking at patterns of the metadata of traffic rather than the contents. This seems better suited for a firewall or similar product to attempt to tackle. The edge devices can do basic heuristics (analyzing traffic in/out per host, plus breaking down by port), but deep packet inspection seems dead.


Snort is still an amazing product to me. What it’s capable of and the kinds of rules that could be written for it seem like such a great idea. The trick is in being able to see all traffic that traverses a network, which gets harder as the workplace and the cloud change things in so many ways. And with the advent of zero-trust and other ideas, it seems to be even harder.

I’m happy there are others out there that actually have to figure out these policies, as it’s a crazy world deep in those packets.