Snort mailing list archives
IDS Design Help
From: Jake Rog <jake.rog () cccllc com>
Date: Sun, 8 Feb 2004 21:26:59 -0500
I will be implementing IDS using SNORT in our company network infrastructure and would appreciate some advice. After doing research, I would like to install two IDS sensors - 1st outside EXT interface of firewall listening to all of the incoming traffic and 2nd outside the INT interface listening to see if any attacks got through the firewall. I would like to use TAPs for sensor connection. Our current inbound Internet connection is T1 to possibly later be upgraded to maximum of 10MB. The following would be a logical diagram. [Internet] ------- [Firewall] -------- [LAN] | | [IDS] [IDS] Please let me know if you have any advice on the following topics: 1. TAPs - After seeing what's available on the market, I found two different approaches to TAPs devices. 1st with single RJ45 connected directly to IDS. (http://www.intrusion.com/products/taps.asp <http://www.intrusion.com/products/taps.asp> ), 2nd with dual RJ45s connected directly to IDS for full duplex. (http://www.criticaltap.com/singletap.php <http://www.criticaltap.com/singletap.php> ) How can SNORT be configured to work dual RJ45's in the second example? (Taps from www.criticaltap.com <http://www.criticaltap.com/> ) 2. EVENT MONITORING - I am trying to figure out how to better configure the IDS NIC that will be acting as an admin interface, where I will be connecting for event information. Should I configure this interface with security to be accessed from the Internet or should I configure this interface to be accessed from the LAN via the firewall? 3. LOGS - I think that it would be best to configure a single server to store all the log files from both IDS sensors instead of keeping them locally?! Also, as above, if this is the case what route should this traffic take to access the log's server, that would reside on the inside network. Also, if the logs are located on the single logs server and not on IDS, I should not have to access the admin interface on the IDS, correct? 4. REPORTING - What is the best way to centralize and access all event reporting? What is the best product to accomplish this? Please be kind to let me know if you have a better approach to any of this or if you have any other comments or suggestions. Thank you very much for taking your time to respond. Regards, Jake
Current thread:
- IDS Design Help Jake Rog (Feb 08)
- <Possible follow-ups>
- Re: IDS Design Help Richard Bejtlich (Feb 09)
- RE: IDS Design Help hugh_fraser (Feb 09)