Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IDS Design Help

From: Jake Rog <jake.rog () cccllc com>
Date: Sun, 8 Feb 2004 21:26:59 -0500
I will be implementing IDS using SNORT in our company network infrastructure
and would appreciate some advice.  After doing research, I would like to
install two IDS sensors - 1st outside EXT interface of firewall  listening
to all of the incoming traffic and 2nd outside the INT interface listening
to see if any attacks got through the firewall.  I would like to use TAPs
for sensor connection. Our current inbound Internet connection is T1 to
possibly later be upgraded to maximum of 10MB.

 

The following would be a logical diagram.

 

[Internet] ------- [Firewall] -------- [LAN]

                 |                     |

              [IDS]              [IDS]

 

Please let me know if you have any advice on the following topics:

 

1.      TAPs - After seeing what's available on the market, I found two
different approaches to TAPs devices. 1st with single RJ45 connected
directly to IDS. (http://www.intrusion.com/products/taps.asp
<http://www.intrusion.com/products/taps.asp> ), 2nd with dual RJ45s
connected directly to IDS for full duplex.
(http://www.criticaltap.com/singletap.php
<http://www.criticaltap.com/singletap.php> )  How can SNORT be configured to
work dual RJ45's in the second example? (Taps from www.criticaltap.com
<http://www.criticaltap.com/> ) 
2.      EVENT MONITORING - I am trying to figure out how to better configure
the IDS NIC that will be acting as an admin interface, where I will be
connecting for event information. Should I configure this interface with
security to be accessed from the Internet or should I configure this
interface to be accessed from the LAN via the firewall?
3.      LOGS - I think that it would be best to configure a single server to
store all the log files from both IDS sensors instead of keeping them
locally?! Also, as above, if this is the case what route should this traffic
take to access the log's server, that would reside on the inside network.
Also, if the logs are located on the single logs server and not on IDS, I
should not have to access the admin interface on the IDS, correct?
4.      REPORTING - What is the best way to centralize and access all event
reporting? What is the best product to accomplish this?

 

Please be kind to let me know if you have a better approach to any of this
or if you have any other comments or suggestions.

 

Thank you very much for taking your time to respond.

 

Regards,

 

 

Jake
Previous By Date Next
Previous By Thread Next

Current thread: