firewall & IDS on the same box

[Martin Peikert <news-innominate.list.nfr.firewiz () innominate de>]

vonkie () gmx net wrote:
  > Hi there,
  >
  > very informative list here and I can say I actually learned something (I
  > didn't know that much to start with ;-) ).
  >
  > My question is, if it is possible to setup a firewall and IDS on one
  > machine, side by side?
  >
  > The reason I'm asking is, that there are only 4 computers on my personal
  > network, so it would be sort off an overkill to place another one on it.
  >
  > I tried to put an IDS between my internetconnection and firewall to see
  > what is being thrown at me, but the only thing I'm able to do is let the
  > IDS
  > see the traffic _after_ it passed the firewall.
  >
  > I understand that this has value as well, since it intercepts attacks
  > where the firewall didn't, but I'd like to set it up before the firewall.
  >
  > Is this possible (and wise?) on one machine (running linux, kernel 2.2.x)

Hi Ruud,

of course it is possible to run an IDS on a firewall. As you are running 
linux, you can try snort (http://www.snort.org/) as netbased IDS and 
samhain (http://samhain.sourceforge.net/surround.html?main_q.html&2) as
an alternative to tripwire. Additionally you want to try logcheck
(ftp://ftp.cert.dfn.de/pub/tools/audit/logcheck).

HTH
Martin
P.S.: Next time if you ask a new question, don't do it as a reply to
      an answer to a question.
-- 
martin.peikert () innominate com
system engineer                                          innominate AG
clustering & security                             the linux architects 
tel: +49-30-308806-0  fax: -77               http://www.innominate.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards