--- Na --- Naman Latif <[EMAIL PROTECTED]> wrote: > > Hi, > I am in the process of setting up and IDS system using > Linux\Snort in > DMZ. A couple of questions regarding this > > 1. Is it a safe practice to have access to this system > from Inside > Network (for retrieving log files etc) from 1-2 Stations > ? Ofcourse IDS > won't have access to inside network and be blocked by > Firewall.
Hi Naman, Probably the better approach is to get Snort to sent it's alerts to a mySQL database internally, then use ACID to view those alerts through a web browser. (Side note - i) you may already have ssh open for communication between your DMZ servers and the internal network or ii) you may have allowed connections to your DMZ, but only if they are instigated internally or iii) you may also have a private VPN only allowing access from the internally facing cards in your servers in the DMZ, through the firewall, to internal, but separate application/management stations, thereby internally segmenting your internal network). This means you can put snort 'sensors' at many points on your network, i.e. DMZ (externally to firewall), internally and, perhaps, at a 'remote/backdoor/management/VPN' connection to a.n.other 'extranet' semi-trusted network, and have the sensors sending alerts to one 'IDS management station'. > > 2. What kind of services should be running on IDS Station > ? Should all > Web\FTp etc services be stopped ? I would suggest, although it is up for debate, that this box only run the sensor and nothing else. You do not want this 'sensor' to be compromised through other services. In fact, it may be better to run in promiscious mode with no IP address on the the sensing network card. > > 3. How important it is to also have an IDS system > monitoring the traffic > on your Inside Network ? I believe it won't be a good > idea to have the > SAME DMZ IDS system with another NIC monitoring Inside > Network Traffic ? Depends on you paranioa, but why not as it's relatively easy? But you are right, it's not a good idea to use one IDS for internal and external. The reason for monitoring both internally and externally, with separate sensors, is to compare and check that nothing has got through, you don't have a attacks from inside and your firewall/application proxy rules are working. > > Any other suggestions OR any Links that I can refer to ? Read and implement http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf or on Windows... http://www.silicondefense.com/techsupport/windows-acid.htm Good Luck James __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com