mailing list archives
RE: Setting up an IDS system
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Fri, 31 Jan 2003 19:35:26 -0500
Comments in-line, denoted with **
1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.
** Yes. That's safe. Enforce it with firewall rules *on* the IDS. Iptables won't add enough overhead to a Linux
machine running snort to matter.
2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?
** I would recommend killing all network services except for sshd. Perform all file transfers and management tasks
3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?
** remember to try and follow the DoD's defense in depth principle. Assuming a typical three network setup, public
(internet facing), DMZ, and Local or "trusted" network, I would certainly go for a minimum of three IDS deployments if
possible. If you only have one machine available, you can use three nics on that machine and have a different snort
rule-set for each nic. We've done this a few times. You set up a rule-set and a configuration file for each
interface, and then use snort's command line switches to read the appropriate rule-set for each interface when starting
via init. eg: snort -D -c /etc/snort_dmz.conf -i ethDMZ -I.
Any other suggestions OR any Links that I can refer to ?
** snort's documetation is pretty good. I'd also have a look at Lance Spitzner's "armoring linux" whitepaper. The
whitepaper is designed for hardening linux for use as a firewall, and may be red-hat specific. But, you should be able
to pull the principles and best-practices out of it.
Regards \\ Naman
- RE: Setting up an IDS system Keith T. Morgan (Feb 03)