Security Basics mailing list archives
Re: Setting up an IDS system
From: James Taylor <james_n_taylor () yahoo com>
Date: Sun, 2 Feb 2003 17:23:43 -0800 (PST)
--- Na --- Naman Latif <naman.latif () inamed com> wrote:
Hi, I am in the process of setting up and IDS system using Linux\Snort in DMZ. A couple of questions regarding this 1. Is it a safe practice to have access to this system from Inside Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS won't have access to inside network and be blocked by Firewall.
Hi Naman, Probably the better approach is to get Snort to sent it's alerts to a mySQL database internally, then use ACID to view those alerts through a web browser. (Side note - i) you may already have ssh open for communication between your DMZ servers and the internal network or ii) you may have allowed connections to your DMZ, but only if they are instigated internally or iii) you may also have a private VPN only allowing access from the internally facing cards in your servers in the DMZ, through the firewall, to internal, but separate application/management stations, thereby internally segmenting your internal network). This means you can put snort 'sensors' at many points on your network, i.e. DMZ (externally to firewall), internally and, perhaps, at a 'remote/backdoor/management/VPN' connection to a.n.other 'extranet' semi-trusted network, and have the sensors sending alerts to one 'IDS management station'.
2. What kind of services should be running on IDS Station ? Should all Web\FTp etc services be stopped ?
I would suggest, although it is up for debate, that this box only run the sensor and nothing else. You do not want this 'sensor' to be compromised through other services. In fact, it may be better to run in promiscious mode with no IP address on the the sensing network card.
3. How important it is to also have an IDS system monitoring the traffic on your Inside Network ? I believe it won't be a good idea to have the SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?
Depends on you paranioa, but why not as it's relatively easy? But you are right, it's not a good idea to use one IDS for internal and external. The reason for monitoring both internally and externally, with separate sensors, is to compare and check that nothing has got through, you don't have a attacks from inside and your firewall/application proxy rules are working.
Any other suggestions OR any Links that I can refer to ?
Read and implement http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf or on Windows... http://www.silicondefense.com/techsupport/windows-acid.htm Good Luck James __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- RE: Setting up an IDS system Keith T. Morgan (Feb 03)
- <Possible follow-ups>
- Re: Setting up an IDS system David M. Fetter (Feb 03)
- Re: Setting up an IDS system Gene Yoo (Feb 03)
- RE: Setting up an IDS system Trevor Cushen (Feb 03)
- RE: Setting up an IDS system Naman Latif (Feb 03)
- Re: Setting up an IDS system Ivan Coric (Feb 05)
- Re: Setting up an IDS system Frank Barton (Feb 05)
- Re: Setting up an IDS system theog (Feb 05)
- Re: Setting up an IDS system James Taylor (Feb 05)