RE: IDS Design Help

[<hugh_fraser () dofasco ca>]

2. If you're planning to collect information in a single place for
analysis (a good idea), you need to be careful not to introduce an
alternate path around your firewall. Use dual-homed sensors, and
configure the NIC monitoring the traffic without an IP address (and use
a read-only cable if you want to be sure). If the sensors are located in
reasonable proximity, I'd suggest a physically separate network (all you
really need is a hub) as a private network to connect the second NIC on
the sensors to a second NIC on an admin server. Lock down the admin
server (disable all unnecessary services, set up iptables, etc.),
install a package like ACID on it for analysis, and secure
communications to the server using SSL for the ACID interface, and
client certs authentication. It's a cheap opensource solution.
 
I don't allow access to the admin console from the Internet. I do,
however, have a modem on the admin server that does paging for events
that require attention.

        -----Original Message-----
        From: Jake Rog [mailto:jake.rog () cccllc com] 
        Sent: Sunday, February 08, 2004 9:27 PM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] IDS Design Help
        
        

        I will be implementing IDS using SNORT in our company network
infrastructure and would appreciate some advice.  After doing research,
I would like to install two IDS sensors - 1st outside EXT interface of
firewall  listening to all of the incoming traffic and 2nd outside the
INT interface listening to see if any attacks got through the firewall.
I would like to use TAPs for sensor connection. Our current inbound
Internet connection is T1 to possibly later be upgraded to maximum of
10MB.

         

        The following would be a logical diagram.

         

        [Internet] ------- [Firewall] -------- [LAN]

                         |                     |

                      [IDS]              [IDS]

         

        Please let me know if you have any advice on the following
topics:

         

        1.      TAPs - After seeing what's available on the market, I
found two different approaches to TAPs devices. 1st with single RJ45
connected directly to IDS. (http://www.intrusion.com/products/taps.asp),
2nd with dual RJ45s connected directly to IDS for full duplex.
(http://www.criticaltap.com/singletap.php)  How can SNORT be configured
to work dual RJ45's in the second example? (Taps from
www.criticaltap.com <http://www.criticaltap.com/> ) 
        2.      EVENT MONITORING - I am trying to figure out how to
better configure the IDS NIC that will be acting as an admin interface,
where I will be connecting for event information. Should I configure
this interface with security to be accessed from the Internet or should
I configure this interface to be accessed from the LAN via the firewall?

        3.      LOGS - I think that it would be best to configure a
single server to store all the log files from both IDS sensors instead
of keeping them locally?! Also, as above, if this is the case what route
should this traffic take to access the log's server, that would reside
on the inside network.  Also, if the logs are located on the single logs
server and not on IDS, I should not have to access the admin interface
on the IDS, correct? 
        4.      REPORTING - What is the best way to centralize and
access all event reporting? What is the best product to accomplish this?


         

        Please be kind to let me know if you have a better approach to
any of this or if you have any other comments or suggestions.

         

        Thank you very much for taking your time to respond.

         

        Regards,

         

         

        Jake