Re: Setting up an IDS system

["theog" <theog () theog org>]

I would put a machine on the outside with a hub (same subnet as the
firewall's external inteface), and iptables running , so that the machine
will accept all trfic but will respond to none except the machine you are on
(if you use NAT , its probably your firewall) no service should be running
on the machine , the data is ok to lay outside you'r LAN but analyzing it
should be done inside , have snort with mysql  (or any other IDS system)
running on the outside machine and have the data fetched from the inside.

TheOg
Liran Cohen

----- Original Message -----
From: "Naman Latif" <naman.latif () inamed com>
To: <security-basics () securityfocus com>
Sent: Friday, January 31, 2003 7:34 PM
Subject: Setting up an IDS system


> Hi,
> I am in the process of setting up and IDS system using Linux\Snort in
> DMZ. A couple of questions regarding this
>
> 1. Is it a safe practice to have access to this system from Inside
> Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
> won't have access to inside network and be blocked by Firewall.
>
> 2. What kind of services should be running on IDS Station ? Should all
> Web\FTp etc services be stopped ?
>
> 3. How important it is to also have an IDS system monitoring the traffic
> on your Inside Network ? I believe it won't be a good idea to have the
> SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?
>
> Any other suggestions OR any Links that I can refer to ?
>
> Regards \\ Naman