Snort mailing list archives
RE: IDS Design Help
From: <hugh_fraser () dofasco ca>
Date: Mon, 9 Feb 2004 17:13:57 -0500
2. If you're planning to collect information in a single place for analysis (a good idea), you need to be careful not to introduce an alternate path around your firewall. Use dual-homed sensors, and configure the NIC monitoring the traffic without an IP address (and use a read-only cable if you want to be sure). If the sensors are located in reasonable proximity, I'd suggest a physically separate network (all you really need is a hub) as a private network to connect the second NIC on the sensors to a second NIC on an admin server. Lock down the admin server (disable all unnecessary services, set up iptables, etc.), install a package like ACID on it for analysis, and secure communications to the server using SSL for the ACID interface, and client certs authentication. It's a cheap opensource solution. I don't allow access to the admin console from the Internet. I do, however, have a modem on the admin server that does paging for events that require attention. -----Original Message----- From: Jake Rog [mailto:jake.rog () cccllc com] Sent: Sunday, February 08, 2004 9:27 PM To: snort-users () lists sourceforge net Subject: [Snort-users] IDS Design Help I will be implementing IDS using SNORT in our company network infrastructure and would appreciate some advice. After doing research, I would like to install two IDS sensors - 1st outside EXT interface of firewall listening to all of the incoming traffic and 2nd outside the INT interface listening to see if any attacks got through the firewall. I would like to use TAPs for sensor connection. Our current inbound Internet connection is T1 to possibly later be upgraded to maximum of 10MB. The following would be a logical diagram. [Internet] ------- [Firewall] -------- [LAN] | | [IDS] [IDS] Please let me know if you have any advice on the following topics: 1. TAPs - After seeing what's available on the market, I found two different approaches to TAPs devices. 1st with single RJ45 connected directly to IDS. (http://www.intrusion.com/products/taps.asp), 2nd with dual RJ45s connected directly to IDS for full duplex. (http://www.criticaltap.com/singletap.php) How can SNORT be configured to work dual RJ45's in the second example? (Taps from www.criticaltap.com <http://www.criticaltap.com/> ) 2. EVENT MONITORING - I am trying to figure out how to better configure the IDS NIC that will be acting as an admin interface, where I will be connecting for event information. Should I configure this interface with security to be accessed from the Internet or should I configure this interface to be accessed from the LAN via the firewall? 3. LOGS - I think that it would be best to configure a single server to store all the log files from both IDS sensors instead of keeping them locally?! Also, as above, if this is the case what route should this traffic take to access the log's server, that would reside on the inside network. Also, if the logs are located on the single logs server and not on IDS, I should not have to access the admin interface on the IDS, correct? 4. REPORTING - What is the best way to centralize and access all event reporting? What is the best product to accomplish this? Please be kind to let me know if you have a better approach to any of this or if you have any other comments or suggestions. Thank you very much for taking your time to respond. Regards, Jake
Current thread:
- IDS Design Help Jake Rog (Feb 08)
- <Possible follow-ups>
- Re: IDS Design Help Richard Bejtlich (Feb 09)
- RE: IDS Design Help hugh_fraser (Feb 09)