Security Basics mailing list archives

Re: Setting up an IDS system

From: "Ivan Coric" <ivan.coric () workcoverqld com au>
Date: Sat, 01 Feb 2003 10:16:32 +1000

Hi Naman,

reply in line

 "Naman Latif" wrote

1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Of course
IDS
won't have access to inside network and be blocked by Firewall.
Have the ids box dual homed, 1 NIC for the DMZ with no ip address, if
you like a read only cable too. 2nd NIC back into your LAN for logging
and admin. A default install of RedHat has ip forward off. Have only SSH
listen only on the internal LAN NIC (#ListenAddress 0.0.0.0)

2. What kind of services should be running on IDS Station ? Should all
Web\FTP etc services be stopped ?
If you mean daemon services, than I personally would have only SSH for
admin.

3. How important it is to also have an IDS system monitoring the
traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic
?
depends on what your company does, how valuable is the info traversing
your infernal LAN and how much do you trust your employees.

Any other suggestions OR any Links that I can refer to ?
get another box, put a couple of NICs into it and you'll have a great
IDS/sniffer that will teach you about your internal network, help with
troubleshooting and give you an idea of what goes on there. Can be a
very inexpensive box, P200, 128mb RAM, 20G HD would do just nicely.

cheers







Ivan Coric
IT Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au


***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland.
The contents of this message are to be used for the intended purpose only
and are to be kept confidential at all times. This message may contain
privileged information directed only to the intended addressee/s.
Accidental receipt of this information should be deleted promptly
and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************

Current thread:

RE: Setting up an IDS system Keith T. Morgan (Feb 03)
- <Possible follow-ups>
- Re: Setting up an IDS system David M. Fetter (Feb 03)
- Re: Setting up an IDS system Gene Yoo (Feb 03)
- RE: Setting up an IDS system Trevor Cushen (Feb 03)
- RE: Setting up an IDS system Naman Latif (Feb 03)
- Re: Setting up an IDS system Ivan Coric (Feb 05)
- Re: Setting up an IDS system Frank Barton (Feb 05)
- Re: Setting up an IDS system theog (Feb 05)
- Re: Setting up an IDS system James Taylor (Feb 05)