mailing list archives
Re: Setting up an IDS system
From: "David M. Fetter" <dfetter () setec-astronomy biz>
Date: Fri, 31 Jan 2003 23:38:56 -0800
Naman Latif wrote:
I am in the process of setting up and IDS system using Linux\Snort in
DMZ. A couple of questions regarding this
1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.
This depends on how secure you need your network. If you're looking for
some added security by setting up an IDS but don't necessarily work in
an environment that absolutely must be locked down, then it might be
easier to have it accessible remotely so you can view/transfer logs,
etc. If it's an ultra secure environment, then I would not have any
remote connections allowed to it and only view logs by burning them to a
cdrom or looking at them locally.
2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?
You should only run the IDS. Everything should be turned off. Some of
the basic security steps of course is minimization. On the IDS I built,
I only had snort and ssh running, along with the normal local system
processes of course.
3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?
This again depends on the need for security in your environment.
However, saying this, you should be able to setup your IDS interface
without an IP address and plug them into mirror ports on your routers.
This basically means that the interfaces will watch all traffic on going
across the router it's plugged into, but it essentially doesn't exist by
IP address on the network. It hides it in a way. If your DMZ and
inside network are in the same network room, then I would monitor both
inside and outside. Many intrusions come from within so you need to
watch out for that as well. This is even more recommended if you have
any kind of wireless access points sitting in your internal network.
Any other suggestions OR any Links that I can refer to ?
When I setup a snort IDS in a moderately secure network, I set it up so
that it had 3 interfaces. One interface was simply the remote
connection which was behind a firewall and only accessible via ssh
through key pair authentication (remote root login being disabled). The
key pair authentication helps to improve security because only a machine
with my private key and passphrase could log in remotely. The other two
interfaces were plugged into the mirror ports (or span ports) on the
routers (one being for the DMZ and the other internal network). Both of
these interfaces were brought up without an IP address and did nothing
more than watch the traffic. I believe this was/is a pretty decent
Regards \\ Naman
David M. Fetter (MegaSurge) - http://www.setec-astronomy.biz/
"The world is full of power and energy and a person can go far by just
skimming off a tiny bit of it." Neal Stephenson - Snow Crash