Re: (no subject)

["M.Schubert" <schubert () fsck org>]

> My question is, if it is possible to setup a firewall and IDS on one
> machine, side by side?

Sure can. Although I see what you want is for the IDS to be able to see 
events before traffic has been "censored" by the firewall. What I would 
suggest with that is another network card for the IDS that the firewall 
is not configured to protect. You could put both interfaces on a hub 
and then use the uplink port of the hub (or just a x-over to another 
hub or switch depending on the situation) to connect to the rest of 
your network. Careful however, you definitly want to configure that 
second network card with a NON-routable IP and you may even consider 
snipping the transmit pair on the cat5 to keep the IDS nic really 
silent (this only works at 10mpbs however) other considerations would 
be configuring ipchains (well in the case of linux 2.2.x) to block any 
outbound packets on that nic. Do be aware however that blind attacks 
could probably still occur via this interface, so whichever IDS you 
utilize (snort perhaps?) you should run it in a chrooted environment 
and configure application servers on that same host (apache, mysql etc) 
not to listen on that interface. I'm sure I missed something but I hope 
that gives you some ideas to play with.

-- 
-- M. Schubert          - mschuber () uci edu
-- Security Specialist - michaels () lightspeedsystems com
-- Sys Admin            - schubert () fsck org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards