RE: Setting up an IDS system

["Keith T. Morgan" <keith.morgan () terradon com>]

Comments in-line, denoted with **
<snip>
1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.

** Yes.  That's safe.  Enforce it with firewall rules *on* the IDS.  Iptables won't add enough overhead to a Linux 
machine running snort to matter.

2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?

** I would recommend killing all network services except for sshd.  Perform all file transfers and management tasks 
over ssh. 

3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

** remember to try and follow the DoD's defense in depth principle.  Assuming a typical three network setup, public 
(internet facing), DMZ, and Local or "trusted" network, I would certainly go for a minimum of three IDS deployments if 
possible.  If you only have one machine available, you can use three nics on that machine and have a different snort 
rule-set for each nic.  We've done this a few times.  You set up a rule-set and a configuration file for each 
interface, and then use snort's command line switches to read the appropriate rule-set for each interface when starting 
via init. eg: snort -D -c /etc/snort_dmz.conf -i ethDMZ -I.


Any other suggestions OR any Links that I can refer to ?

** snort's documetation is pretty good.  I'd also have a look at Lance Spitzner's "armoring linux" whitepaper.  The 
whitepaper is designed for hardening linux for use as a firewall, and may be red-hat specific.  But, you should be able 
to pull the principles and best-practices out of it.
http://www.spitzner.net/linux.html


Regards \\ Naman