Home page logo

basics logo Security Basics mailing list archives

Re: Setting up an IDS system
From: "David M. Fetter" <dfetter () setec-astronomy biz>
Date: Fri, 31 Jan 2003 23:38:56 -0800

Naman Latif wrote:
I am in the process of setting up and IDS system using Linux\Snort in
DMZ. A couple of questions regarding this

1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.

This depends on how secure you need your network. If you're looking for some added security by setting up an IDS but don't necessarily work in an environment that absolutely must be locked down, then it might be easier to have it accessible remotely so you can view/transfer logs, etc. If it's an ultra secure environment, then I would not have any remote connections allowed to it and only view logs by burning them to a cdrom or looking at them locally.

2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?

You should only run the IDS. Everything should be turned off. Some of the basic security steps of course is minimization. On the IDS I built, I only had snort and ssh running, along with the normal local system processes of course.

3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

This again depends on the need for security in your environment. However, saying this, you should be able to setup your IDS interface without an IP address and plug them into mirror ports on your routers. This basically means that the interfaces will watch all traffic on going across the router it's plugged into, but it essentially doesn't exist by IP address on the network. It hides it in a way. If your DMZ and inside network are in the same network room, then I would monitor both inside and outside. Many intrusions come from within so you need to watch out for that as well. This is even more recommended if you have any kind of wireless access points sitting in your internal network.

Any other suggestions OR any Links that I can refer to ?

When I setup a snort IDS in a moderately secure network, I set it up so that it had 3 interfaces. One interface was simply the remote connection which was behind a firewall and only accessible via ssh through key pair authentication (remote root login being disabled). The key pair authentication helps to improve security because only a machine with my private key and passphrase could log in remotely. The other two interfaces were plugged into the mirror ports (or span ports) on the routers (one being for the DMZ and the other internal network). Both of these interfaces were brought up without an IP address and did nothing more than watch the traffic. I believe this was/is a pretty decent configuration.

Regards \\ Naman

David M. Fetter (MegaSurge) - http://www.setec-astronomy.biz/

"The world is full of power and energy and a person can go far by just skimming off a tiny bit of it." Neal Stephenson - Snow Crash

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]