To answer you questions my humble opinion is 1) Yes should be safe if it is one way traffic as in you can access to machine with ftp for instance but it has no access back to internal network. I used a web interface to my logs and then only needed a browser to the IDS system. The web server was running on the IDS box and filtering my logs for sensibly viewing i.e. colour coded etc. Some recommend takng the logs off the IDS machine in case a hacker breaches the machine they can remove the logs. A backup tape system will do this and it is how I handle it.
2) The IDS box is watching the DMZ network only so it shouldn't be visible or in any way accessably from the internet. If it is then the box should be hardened to the heightest possible level (as all your DMZ boxes should). This goes back to your router in many cases where routing should be specific. HTTP traffic to ip address xxx.xxx.xxx.xxx ONLY and not just allow port 80 through at the router, (touches on an earlier post about filters on routers). I only run the web server service after the IDS stuff, as in answer 1. 3) I have often used a separate box to monitor internal networks but this is to be aware of traffic patterns and network activity. Tripwire on hosts mostly above the use of snort as the amount of internal traffic is high and not much use without specific filters but these are restricted in a switched network. My DMZ is a hub and not a switch for this reason. Other suggestion would include the use of tripwire to some extent, MRTG is excellent in this environment and NTOP. Also putting central logging in place and then get the whole lot together in a web page for viewing from your desktop makes life very easy and manageable. Sites to view: www.mrtg.org www.ntop.org www.tripwire.org http://www.sfhn.net/whites/snortacid.html Can't find it at the moment but there is a syslog server version that logs to a database. Very easy to setup. Use this to log your routers and servers to a database then add a bit of perl code to put a web front end on the database to watch attempts to hack your routers etc. Previous posts talked about Cisco logging etc. You should be able quite easily to get the whole lot visible through a fairly organised web page that allows you to watch everything that goes on in your DMZ from the comfort of your desktop. Use good filters to break down your logs and also produce detailed reports for the marketing people on access to your web site and bandwidth usage on your routers also helps for budget meetings. Long email but I hope it helps. If you have any problems with the above drop me a line and I will see if I can help. One final thing I would like to add. Know how to read your logs. It is no good if you suspect and incident and find yourself trawling through a mountian of text files looking for what happened. Logging to a database rather then a text file makes this easier where you can search by date or ip address and build a pattern of the incident. I recommended two books in a previous post called 'Hacker Challenge'. These show exactly how efficent good logs can be. Good luck with all that :) Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: Naman Latif [mailto:[EMAIL PROTECTED]] Sent: 31 January 2003 17:34 To: [EMAIL PROTECTED] Subject: Setting up an IDS system Hi, I am in the process of setting up and IDS system using Linux\Snort in DMZ. A couple of questions regarding this 1. Is it a safe practice to have access to this system from Inside Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS won't have access to inside network and be blocked by Firewall. 2. What kind of services should be running on IDS Station ? Should all Web\FTp etc services be stopped ? 3. How important it is to also have an IDS system monitoring the traffic on your Inside Network ? I believe it won't be a good idea to have the SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ? Any other suggestions OR any Links that I can refer to ? Regards \\ Naman ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************************