RE: Setting up an IDS system

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

To answer you questions my humble opinion is 

1)      Yes should be safe if it is one way traffic as in you can access
to machine with ftp for instance but it has no access back to internal
network.  I used a web interface to my logs and then only needed a
browser to the IDS system.  The web server was running on the IDS box
and filtering my logs for sensibly viewing i.e. colour coded etc.  Some
recommend takng the logs off the IDS machine in case a hacker breaches
the machine they can remove the logs.  A backup tape system will do this
and it is how I handle it.

2)      The IDS box is watching the DMZ network only so it shouldn't be
visible or in any way accessably from the internet.  If it is then the
box should be hardened to the heightest possible level (as all your DMZ
boxes should).  This goes back to your router in many cases where
routing should be specific.  HTTP traffic to ip address xxx.xxx.xxx.xxx
ONLY and not just allow port 80 through at the router, (touches on an
earlier post about filters on routers).  I only run the web server
service after the IDS stuff, as in answer 1.

3)      I have often used a separate box to monitor internal networks
but this is to be aware of traffic patterns and network activity.
Tripwire on hosts mostly above the use of snort as the amount of
internal traffic is high and not much use without specific filters but
these are restricted in a switched network.  My DMZ is a hub and not a
switch for this reason.

Other suggestion would include the use of tripwire to some extent, MRTG
is excellent in this environment and NTOP.  Also putting central logging
in place and then get the whole lot together in a web page for viewing
from your desktop makes life very easy and manageable.

Sites to view:
www.mrtg.org
www.ntop.org
www.tripwire.org
http://www.sfhn.net/whites/snortacid.html

Can't find it at the moment but there is a syslog server version that
logs to a database.  Very easy to setup.  Use this to log your routers
and servers to a database then add a bit of perl code to put a web front
end on the database to watch attempts to hack your routers etc.
Previous posts talked about Cisco logging etc.

You should be able quite easily to get the whole lot visible through a
fairly organised web page that allows you to watch everything that goes
on in your DMZ from the comfort of your desktop.  Use good filters to
break down your logs and also produce detailed reports for the marketing
people on access to your web site and bandwidth usage on your routers
also helps for budget meetings.

Long email but I hope it helps.  If you have any problems with the above
drop me a line and I will see if I can help.

One final thing I would like to add.  Know how to read your logs.  It is
no good if you suspect and incident and find yourself trawling through a
mountian of text files looking for what happened.  Logging to a database
rather then a text file makes this easier where you can search by date
or ip address and build a pattern of the incident.  I recommended two
books in a previous post called 'Hacker Challenge'.  These show exactly
how efficent good logs can be.


Good luck with all that :)

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: 31 January 2003 17:34
To: security-basics () securityfocus com
Subject: Setting up an IDS system



Hi,
I am in the process of setting up and IDS system using Linux\Snort in
DMZ. A couple of questions regarding this

1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.

2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?

3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

Any other suggestions OR any Links that I can refer to ?

Regards \\ Naman



**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************