RE: Setting up an IDS system

["Naman Latif" <naman.latif () inamed com>]

Thank you all for your help on this. I would definitely need some more
tips in future as I progress, but all this info is very useful in
getting me started.

Regards \\ Naman


> -----Original Message-----
> From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie] 
> Sent: Monday, February 03, 2003 4:24 AM
> To: Naman Latif
> Cc: security-basics () securityfocus com
> Subject: RE: Setting up an IDS system
>
>
> To answer you questions my humble opinion is 
>
> 1)    Yes should be safe if it is one way traffic as in you can access
> to machine with ftp for instance but it has no access back to 
> internal network.  I used a web interface to my logs and then 
> only needed a browser to the IDS system.  The web server was 
> running on the IDS box and filtering my logs for sensibly 
> viewing i.e. colour coded etc.  Some recommend takng the logs 
> off the IDS machine in case a hacker breaches the machine 
> they can remove the logs.  A backup tape system will do this 
> and it is how I handle it.
>
> 2)    The IDS box is watching the DMZ network only so it shouldn't be
> visible or in any way accessably from the internet.  If it is 
> then the box should be hardened to the heightest possible 
> level (as all your DMZ boxes should).  This goes back to your 
> router in many cases where routing should be specific.  HTTP 
> traffic to ip address xxx.xxx.xxx.xxx ONLY and not just allow 
> port 80 through at the router, (touches on an earlier post 
> about filters on routers).  I only run the web server service 
> after the IDS stuff, as in answer 1.
>
> 3)    I have often used a separate box to monitor internal networks
> but this is to be aware of traffic patterns and network 
> activity. Tripwire on hosts mostly above the use of snort as 
> the amount of internal traffic is high and not much use 
> without specific filters but these are restricted in a 
> switched network.  My DMZ is a hub and not a switch for this reason.
>
> Other suggestion would include the use of tripwire to some 
> extent, MRTG is excellent in this environment and NTOP.  Also 
> putting central logging in place and then get the whole lot 
> together in a web page for viewing from your desktop makes 
> life very easy and manageable.
>
> Sites to view:
> www.mrtg.org
> www.ntop.org
> www.tripwire.org
> http://www.sfhn.net/whites/snortacid.html
>
> Can't find it at the moment but there is a syslog server 
> version that logs to a database.  Very easy to setup.  Use 
> this to log your routers and servers to a database then add a 
> bit of perl code to put a web front end on the database to 
> watch attempts to hack your routers etc. Previous posts 
> talked about Cisco logging etc.
>
> You should be able quite easily to get the whole lot visible 
> through a fairly organised web page that allows you to watch 
> everything that goes on in your DMZ from the comfort of your 
> desktop.  Use good filters to break down your logs and also 
> produce detailed reports for the marketing people on access 
> to your web site and bandwidth usage on your routers also 
> helps for budget meetings.
>
> Long email but I hope it helps.  If you have any problems 
> with the above drop me a line and I will see if I can help.
>
> One final thing I would like to add.  Know how to read your 
> logs.  It is no good if you suspect and incident and find 
> yourself trawling through a mountian of text files looking 
> for what happened.  Logging to a database rather then a text 
> file makes this easier where you can search by date or ip 
> address and build a pattern of the incident.  I recommended 
> two books in a previous post called 'Hacker Challenge'.  
> These show exactly how efficent good logs can be.
>
>
> Good luck with all that :)
>
> Trevor Cushen
> Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: 31 January 2003 17:34
To: security-basics () securityfocus com
Subject: Setting up an IDS system



Hi,
I am in the process of setting up and IDS system using Linux\Snort in
DMZ. A couple of questions regarding this

1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.

2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?

3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

Any other suggestions OR any Links that I can refer to ?

Regards \\ Naman



************************************************************************
**************

This email and any files transmitted with it are confidential and
intended 
solely for the use of the individual or entity to whom they are
addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

************************************************************************
**************