Firewall Wizards mailing list archives
Re: (no subject)
From: "M.Schubert" <schubert () fsck org>
Date: Sat, 6 Jan 2001 04:11:40 -0800
My question is, if it is possible to setup a firewall and IDS on one machine, side by side?
Sure can. Although I see what you want is for the IDS to be able to see events before traffic has been "censored" by the firewall. What I would suggest with that is another network card for the IDS that the firewall is not configured to protect. You could put both interfaces on a hub and then use the uplink port of the hub (or just a x-over to another hub or switch depending on the situation) to connect to the rest of your network. Careful however, you definitly want to configure that second network card with a NON-routable IP and you may even consider snipping the transmit pair on the cat5 to keep the IDS nic really silent (this only works at 10mpbs however) other considerations would be configuring ipchains (well in the case of linux 2.2.x) to block any outbound packets on that nic. Do be aware however that blind attacks could probably still occur via this interface, so whichever IDS you utilize (snort perhaps?) you should run it in a chrooted environment and configure application servers on that same host (apache, mysql etc) not to listen on that interface. I'm sure I missed something but I hope that gives you some ideas to play with. -- -- M. Schubert - mschuber () uci edu -- Security Specialist - michaels () lightspeedsystems com -- Sys Admin - schubert () fsck org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) vonkie (Jan 05)
- Re: (no subject) M.Schubert (Jan 08)
- Re: (no subject) R. DuFresne (Jan 08)
- <Possible follow-ups>
- RE: (no subject) Kalat, Andrew (ISS Atlanta) (Jan 08)
- (no subject) Wigg, Guy G (Jan 16)