RE: Setting up an IDS system

Comments in-line, denoted with **
<snip>
1. Is it a safe practice to have access to this system from Inside Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS won't have access to inside network and be blocked by Firewall.

• Yes. That's safe. Enforce it with firewall rules *on* the IDS. Iptables won't add enough overhead to a Linux machine running snort to matter. 2. What kind of services should be running on IDS Station ? Should all Web\FTp etc services be stopped ?
• I would recommend killing all network services except for sshd. Perform all file transfers and management tasks over ssh. 3. How important it is to also have an IDS system monitoring the traffic on your Inside Network ? I believe it won't be a good idea to have the SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?
• remember to try and follow the DoD's defense in depth principle. Assuming a typical three network setup, public (internet facing), DMZ, and Local or "trusted" network, I would certainly go for a minimum of three IDS deployments if possible. If you only have one machine available, you can use three nics on that machine and have a different snort rule-set for each nic. We've done this a few times. You set up a rule-set and a configuration file for each interface, and then use snort's command line switches to read the appropriate rule-set for each interface when starting via init. eg: snort -D -c /etc/snort_dmz.conf -i ethDMZ -I.

Any other suggestions OR any Links that I can refer to ?

• snort's documetation is pretty good. I'd also have a look at Lance Spitzner's "armoring linux" whitepaper. The whitepaper is designed for hardening linux for use as a firewall, and may be red-hat specific. But, you should be able to pull the principles and best-practices out of it. http://www.spitzner.net/linux.html

Regards \\ Naman Received on Mon Feb 3 13:45:36 2003