Home page logo

basics logo Security Basics mailing list archives

Re: Setting up an IDS system
From: Frank Barton <pauling () starwolf biz>
Date: Fri, 31 Jan 2003 21:50:48 -0500

1) Depending on how you set it up, I would say yes, also limit the users that can log in remotely. also concider using 
a remote log tool, such as remote 
syslogd, to avoid that need

2) none and yes. Ideally, you don't want the IDS station to be seen at all from the outside, concider using a one-way 
ethernet cable (recieve no-send) on the 
listening interface. Of course for this, you would need a second interface to connect to your network for either remote 
log-in or remote syslogd or whatever 
logging facility you're using

3) It is a good idea, I don't remember the statistic right now, but a large percentage of all attacks come from inside 
your network. Once again, ideally, the 
internal IDS shouldn't be detectable, but I see no problems running it physically on the same box on a seperate 
interface, provided you're using the 
afore-mentioned one-way ethernet cable.

Other suggestions, Nothing comes to mind, but depending on the size and topology of your network, you may want to 
carfully concider where you want to put 
internal IDSs.

On Fri, Jan 31, 2003 at 09:34:19AM -0800, Naman Latif wrote:

I am in the process of setting up and IDS system using Linux\Snort in
DMZ. A couple of questions regarding this

1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.

2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?

3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

Any other suggestions OR any Links that I can refer to ?

Regards \\ Naman

Frank Barton
Starwolf.biz Systems Administrator

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]