Home page logo
/

basics logo Security Basics mailing list archives

Re: Setting up an IDS system
From: James Taylor <james_n_taylor () yahoo com>
Date: Sun, 2 Feb 2003 17:23:43 -0800 (PST)


--- Na
--- Naman Latif <naman.latif () inamed com> wrote:

Hi,
I am in the process of setting up and IDS system using
Linux\Snort in
DMZ. A couple of questions regarding this

1. Is it a safe practice to have access to this system
from Inside
Network (for retrieving log files etc) from 1-2 Stations
? Ofcourse IDS
won't have access to inside network and be blocked by
Firewall.

Hi Naman,

Probably the better approach is to get Snort to sent it's
alerts to a mySQL database internally, then use ACID to
view those alerts through a web browser. (Side note - i)
you may already have ssh open for communication between
your DMZ servers and the internal network or ii) you may
have allowed connections to your DMZ, but only if they are
instigated internally or iii) you may also have a private
VPN only allowing access from the internally facing cards
in your servers in the DMZ, through the firewall, to
internal, but separate application/management stations,
thereby internally segmenting your internal network). This
means you can put snort 'sensors' at many points on your
network, i.e. DMZ (externally to firewall), internally and,
perhaps, at a 'remote/backdoor/management/VPN' connection
to a.n.other 'extranet' semi-trusted network, and have the
sensors sending alerts to one 'IDS management station'.


2. What kind of services should be running on IDS Station
? Should all
Web\FTp etc services be stopped ?

I would suggest, although it is up for debate, that this
box only run the sensor and nothing else. You do not want
this 'sensor' to be compromised through other services. In
fact, it may be better to run in promiscious mode with no
IP address on the the sensing network card.


3. How important it is to also have an IDS system
monitoring the traffic
on your Inside Network ? I believe it won't be a good
idea to have the
SAME DMZ IDS system with another NIC monitoring Inside
Network Traffic ?

Depends on you paranioa, but why not as it's relatively
easy? But you are right, it's not a good idea to use one
IDS for internal and external. The reason for monitoring
both internally and externally, with separate sensors, is
to compare and check that nothing has got through, you
don't have a attacks from inside and your
firewall/application proxy rules are working.


Any other suggestions OR any Links that I can refer to ?

Read and implement

http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

or on Windows...

http://www.silicondefense.com/techsupport/windows-acid.htm

Good Luck

James

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault