Hi Adam, My 0.2 Euros worth.
You are kind of on the correct path, but consider this...
I am _guessing_ that you have thinking of a setup along the lines
of.....
(Internet)------|hub|
|---------|firewall|-----------|hub|
| |
|---------|snort|
|-------------|snort|
|
|-------------Rest of internal Network
If diagrams don't look correct in your mail reader, paste into a text editor
(and get a good mail client).
>If I do that, can I reasonably assume that any incidents
>that show up in the outside Snort ARIS logs AND NOT in
>the firewall logs got through the firewall?
Remember, the firewall (should) block access to all ports excluding
the ones that you specify, therefore if you have TCP :80 open for a web
server, you are allowing any traffic (including exploit code) through the
wall.
Yes the attack should show on the external snort sensor and the internal
sensor, what shows up in your firewall logs depends on what firewall you are
using.
>Can I also reasonably assume that, should something show up
>in the outside Snort ARIS logs AND NOT in the firewall logs
>AND NOT in the inside Snort ARIS logs, that the inside Snort
>station is not functioning properly? By not functioning properly
>I mean anything from "bad NIC" to "improper configuration" to
>"Snort sucks".
Think about having TCP:80 Closed.
A CodeRed v2 probe enters your network bound for an IP that does not
have a webserver running on it, therefore your firewall is closed for the
request.
External sensor will pick up the attack, your firewall will alarm you that
there has been an attempt to access a closed port, and your internal snort
sensor will not know anything about it because the traffic has been blocked
from entering your internal n/w.
An Important Point....
Do you have ports open on your firewall that are allowing access to
systems in your internal network? Are you supplying services to the outside
world from inside your protected network? Think SERIOUSLY about using a
DMZ/PSN.
It would look something like this....
(Internet)------|hub|
|---------|firewall|----DMZ----|hub|
| | |
|-|snort| | |-----|snort|
| |
| |-----|Webserver|
internal network |-----|FTP|
| |-----|SMTP|
|
|hub|
|---------Server's
|---------Client's
Therefore you can deny any access to clients and servers in your internal
network and still supply services to the internet.
Hope this helps.
Nard
Leon Ward
Added Dimension Ltd
-----Original Message-----
From: Adam Shephard [mailto:[EMAIL PROTECTED]]
Sent: 17 May 2002 20:03
To: [EMAIL PROTECTED]
Subject: IDS Setup
I suffer from a logic deficiency and I've been tossing an idea around in my
head. I thought it might be a good idea to run the logic past the people
here. I have a firewall between my network and the world and Snort behind my
firewall. That Snort station reports to ARIS. I'm toying with the idea of
putting another Snort station on the outside between my firewall and the
world and having it also report to ARIS.
If I do that, can I reasonably assume that any incidents that show up in the
outside Snort ARIS logs AND NOT in the firewall logs got through the
firewall? Can I also reasonably assume that, should something show up in
the outside Snort ARIS logs AND NOT in the firewall logs AND NOT in the
inside Snort ARIS logs, that the inside Snort station is not functioning
properly? By not functioning properly I mean anything from "bad NIC" to
"improper configuration" to "Snort sucks".
It makes sense to me that this would work but, you know, the logic thing.
This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]
This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]
