Re: Setting up an IDS system

["David M. Fetter" <dfetter () setec-astronomy biz>]

Naman Latif wrote:
> Hi,
> I am in the process of setting up and IDS system using Linux\Snort in
> DMZ. A couple of questions regarding this
>
> 1. Is it a safe practice to have access to this system from Inside
> Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
> won't have access to inside network and be blocked by Firewall.

This depends on how secure you need your network.  If you're looking for 
some added security by setting up an IDS but don't necessarily work in 
an environment that absolutely must be locked down, then it might be 
easier to have it accessible remotely so you can view/transfer logs, 
etc.  If it's an ultra secure environment, then I would not have any 
remote connections allowed to it and only view logs by burning them to a 
cdrom or looking at them locally.

> 2. What kind of services should be running on IDS Station ? Should all
> Web\FTp etc services be stopped ?

You should only run the IDS.  Everything should be turned off.  Some of 
the basic security steps of course is minimization.  On the IDS I built, 
I only had snort and ssh running, along with the normal local system 
processes of course.

> 3. How important it is to also have an IDS system monitoring the traffic
> on your Inside Network ? I believe it won't be a good idea to have the
> SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

This again depends on the need for security in your environment. 
However, saying this, you should be able to setup your IDS interface 
without an IP address and plug them into mirror ports on your routers. 
This basically means that the interfaces will watch all traffic on going 
across the router it's plugged into, but it essentially doesn't exist by 
IP address on the network.  It hides it in a way.  If your DMZ and 
inside network are in the same network room, then I would monitor both 
inside and outside.  Many intrusions come from within so you need to 
watch out for that as well.  This is even more recommended if you have 
any kind of wireless access points sitting in your internal network.

> Any other suggestions OR any Links that I can refer to ?

When I setup a snort IDS in a moderately secure network, I set it up so 
that it had 3 interfaces.  One interface was simply the remote 
connection which was behind a firewall and only accessible via ssh 
through key pair authentication (remote root login being disabled).  The 
key pair authentication helps to improve security because only a machine 
with my private key and passphrase could log in remotely.  The other two 
interfaces were plugged into the mirror ports (or span ports) on the 
routers (one being for the DMZ and the other internal network).  Both of 
these interfaces were brought up without an IP address and did nothing 
more than watch the traffic.  I believe this was/is a pretty decent 
configuration.

> Regards \\ Naman


--
David M. Fetter (MegaSurge) - http://www.setec-astronomy.biz/

"The world is full of power and energy and a person can go far by just 
skimming off a tiny bit of it." Neal Stephenson - Snow Crash