Re: Setting up an IDS system

[James Taylor <james_n_taylor () yahoo com>]

--- Na
--- Naman Latif <naman.latif () inamed com> wrote:
> Hi,
> I am in the process of setting up and IDS system using
> Linux\Snort in
> DMZ. A couple of questions regarding this
>
> 1. Is it a safe practice to have access to this system
> from Inside
> Network (for retrieving log files etc) from 1-2 Stations
> ? Ofcourse IDS
> won't have access to inside network and be blocked by
> Firewall.

Hi Naman,

Probably the better approach is to get Snort to sent it's
alerts to a mySQL database internally, then use ACID to
view those alerts through a web browser. (Side note - i)
you may already have ssh open for communication between
your DMZ servers and the internal network or ii) you may
have allowed connections to your DMZ, but only if they are
instigated internally or iii) you may also have a private
VPN only allowing access from the internally facing cards
in your servers in the DMZ, through the firewall, to
internal, but separate application/management stations,
thereby internally segmenting your internal network). This
means you can put snort 'sensors' at many points on your
network, i.e. DMZ (externally to firewall), internally and,
perhaps, at a 'remote/backdoor/management/VPN' connection
to a.n.other 'extranet' semi-trusted network, and have the
sensors sending alerts to one 'IDS management station'.

> 2. What kind of services should be running on IDS Station
> ? Should all
> Web\FTp etc services be stopped ?

I would suggest, although it is up for debate, that this
box only run the sensor and nothing else. You do not want
this 'sensor' to be compromised through other services. In
fact, it may be better to run in promiscious mode with no
IP address on the the sensing network card.

> 3. How important it is to also have an IDS system
> monitoring the traffic
> on your Inside Network ? I believe it won't be a good
> idea to have the
> SAME DMZ IDS system with another NIC monitoring Inside
> Network Traffic ?

Depends on you paranioa, but why not as it's relatively
easy? But you are right, it's not a good idea to use one
IDS for internal and external. The reason for monitoring
both internally and externally, with separate sensors, is
to compare and check that nothing has got through, you
don't have a attacks from inside and your
firewall/application proxy rules are working.

> Any other suggestions OR any Links that I can refer to ?

Read and implement

http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

or on Windows...

http://www.silicondefense.com/techsupport/windows-acid.htm

Good Luck

James

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com