Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[Snort-users] IDS Design Help

0 views

Skip to first unread message

Jake Rog

unread,

Feb 8, 2004, 9:35:20 PM2/8/04

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C3EEB4.321E8210
Content-Type: text/plain

I will be implementing IDS using SNORT in our company network infrastructure
and would appreciate some advice. After doing research, I would like to
install two IDS sensors - 1st outside EXT interface of firewall listening
to all of the incoming traffic and 2nd outside the INT interface listening
to see if any attacks got through the firewall. I would like to use TAPs
for sensor connection. Our current inbound Internet connection is T1 to
possibly later be upgraded to maximum of 10MB.

The following would be a logical diagram.

[Internet] ------- [Firewall] -------- [LAN]

| |

[IDS] [IDS]

Please let me know if you have any advice on the following topics:

1. TAPs - After seeing what's available on the market, I found two
different approaches to TAPs devices. 1st with single RJ45 connected
directly to IDS. (http://www.intrusion.com/products/taps.asp
<http://www.intrusion.com/products/taps.asp> ), 2nd with dual RJ45s
connected directly to IDS for full duplex.
(http://www.criticaltap.com/singletap.php
<http://www.criticaltap.com/singletap.php> ) How can SNORT be configured to
work dual RJ45's in the second example? (Taps from www.criticaltap.com
<http://www.criticaltap.com/> )
2. EVENT MONITORING - I am trying to figure out how to better configure
the IDS NIC that will be acting as an admin interface, where I will be
connecting for event information. Should I configure this interface with
security to be accessed from the Internet or should I configure this
interface to be accessed from the LAN via the firewall?
3. LOGS - I think that it would be best to configure a single server to
store all the log files from both IDS sensors instead of keeping them
locally?! Also, as above, if this is the case what route should this traffic
take to access the log's server, that would reside on the inside network.
Also, if the logs are located on the single logs server and not on IDS, I
should not have to access the admin interface on the IDS, correct?
4. REPORTING - What is the best way to centralize and access all event
reporting? What is the best product to accomplish this?

Please be kind to let me know if you have a better approach to any of this
or if you have any other comments or suggestions.

Thank you very much for taking your time to respond.

Regards,

Jake

------_=_NextPart_001_01C3EEB4.321E8210
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

</head>

I will be implementing IDS using SNORT in our =
company network
infrastructure and would appreciate some advice.  After doing =
research, I
would like to install two IDS sensors – 1st outside EXT interface =
of
firewall  listening to all of the incoming traffic and =
2nd outside
the INT interface listening to see if any attacks got through the
firewall.  I would like to use TAPs for sensor connection. Our =
current inbound
Internet connection is T1 to possibly later be upgraded to maximum of =
10MB.<o:p></o:p>

<o:p> </o:p>

The following would be a logical =
diagram.<o:p></o:p>

<o:p> </o:p>

[Internet] ------- [Firewall] -------- =
[LAN]<o:p></o:p>

=
        |   &nbsp=
;        
        |<o:p></o:p></fon=
t>

&nbsp=
;    
[IDS]           &=
nbsp; 
[IDS]<o:p></o:p>

<o:p> </o:p>

Please let me know if you have any advice on the =
following
topics:<o:p></o:p>

<o:p> </o:p>

<ol style=3D'margin-top:0in' start=3D1 type=3D1>
<li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'>TAPs – After =
seeing what’s
available on the market, I found two different approaches to TAPs =
devices.
1st with single RJ45 connected directly to IDS. (<a
=
href=3D"http://www.intrusion.com/products/taps.asp">http://www.intrusion=
.com/products/taps.asp</a>),
2nd with dual RJ45s connected directly to IDS for full =
duplex. (<a
=
href=3D"http://www.criticaltap.com/singletap.php">http://www.criticaltap=
.com/singletap.php</a>)
 How can SNORT be configured to work dual RJ45’s in the =
second
example? (Taps from <a =
href=3D"http://www.criticaltap.com/">www.criticaltap.com</a>)
<o:p></o:p></li>
<li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'>EVENT MONITORING =
– I am
trying to figure out how to better configure the IDS NIC that will =
be acting
as an admin interface, where I will be connecting for event =
information.
Should I configure this interface with security to be accessed =
from the
Internet or should I configure this interface to be accessed from =
the LAN
via the firewall?<o:p></o:p></li>
<li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'>LOGS – I think =
that it
would be best to configure a single server to store all the log =
files from
both IDS sensors instead of keeping them locally?! Also, as above, =
if this
is the case what route should this traffic take to access the =
log’s
server, that would reside on the inside network.  Also, if =
the logs
are located on the single logs server and not on IDS, I should not =
have to
access the admin interface on the IDS, =
correct?<o:p></o:p></li>
<li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'>REPORTING – =
What is the
best way to centralize and access all event reporting? What is the =
best
product to accomplish this?<o:p></o:p></li>
</ol>

<o:p> </o:p>

Please be kind to let me know if you have a better =
approach
to any of this or if you have any other comments or =
suggestions.<o:p></o:p>

<o:p> </o:p>

Thank you very much for taking your time to =
respond.<o:p></o:p>

<o:p> </o:p>

Regards,<o:p></o:p>

<o:p> </o:p>

Jake<o:p></o:p>

<o:p> </o:p>

</div>

</body>

</html>

------_=_NextPart_001_01C3EEB4.321E8210--

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

hugh_...@dofasco.ca

unread,

Feb 9, 2004, 5:28:05 PM2/9/04

This is a multi-part message in MIME format.

------_=_NextPart_001_01C3EF5A.03656BEF
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

2. If you're planning to collect information in a single place for
analysis (a good idea), you need to be careful not to introduce an
alternate path around your firewall. Use dual-homed sensors, and
configure the NIC monitoring the traffic without an IP address (and use
a read-only cable if you want to be sure). If the sensors are located in
reasonable proximity, I'd suggest a physically separate network (all you
really need is a hub) as a private network to connect the second NIC on
the sensors to a second NIC on an admin server. Lock down the admin
server (disable all unnecessary services, set up iptables, etc.),
install a package like ACID on it for analysis, and secure
communications to the server using SSL for the ACID interface, and
client certs authentication. It's a cheap opensource solution.
=20
I don't allow access to the admin console from the Internet. I do,
however, have a modem on the admin server that does paging for events
that require attention.

-----Original Message-----
From: Jake Rog [mailto:jake...@cccllc.com]=20
Sent: Sunday, February 08, 2004 9:27 PM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] IDS Design Help
=09
=09

I will be implementing IDS using SNORT in our company network
infrastructure and would appreciate some advice. After doing research,
I would like to install two IDS sensors - 1st outside EXT interface of
firewall listening to all of the incoming traffic and 2nd outside the
INT interface listening to see if any attacks got through the firewall.
I would like to use TAPs for sensor connection. Our current inbound
Internet connection is T1 to possibly later be upgraded to maximum of
10MB.

=20

The following would be a logical diagram.

=20

[Internet] ------- [Firewall] -------- [LAN]

| |

[IDS] [IDS]

=20

Please let me know if you have any advice on the following
topics:

=20

1. TAPs - After seeing what's available on the market, I
found two different approaches to TAPs devices. 1st with single RJ45

connected directly to IDS. (http://www.intrusion.com/products/taps.asp),

2nd with dual RJ45s connected directly to IDS for full duplex.

(http://www.criticaltap.com/singletap.php) How can SNORT be configured

to work dual RJ45's in the second example? (Taps from

www.criticaltap.com <http://www.criticaltap.com/> )=20

2. EVENT MONITORING - I am trying to figure out how to
better configure the IDS NIC that will be acting as an admin interface,
where I will be connecting for event information. Should I configure
this interface with security to be accessed from the Internet or should
I configure this interface to be accessed from the LAN via the firewall?

3. LOGS - I think that it would be best to configure a
single server to store all the log files from both IDS sensors instead
of keeping them locally?! Also, as above, if this is the case what route
should this traffic take to access the log's server, that would reside
on the inside network. Also, if the logs are located on the single logs
server and not on IDS, I should not have to access the admin interface

on the IDS, correct?=20

4. REPORTING - What is the best way to centralize and
access all event reporting? What is the best product to accomplish this?

=20

Please be kind to let me know if you have a better approach to
any of this or if you have any other comments or suggestions.

=20

Thank you very much for taking your time to respond.

=20

Regards,

=20

Jake

=20

------_=_NextPart_001_01C3EF5A.03656BEF
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0in
}
UL {
MARGIN-BOTTOM: 0in
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV>2. If=20
you're planning to collect information in a single place for analysis (a =
good=20
idea), you need to be careful not to introduce an alternate path around =
your=20
firewall. Use dual-homed sensors, and configure the NIC monitoring the =
traffic=20
without an IP address (and use a read-only cable if you want to be =
sure). If the=20
sensors are located in reasonable proximity, I'd suggest a physically =
separate=20
network (all you really need is a hub) as a private network to connect =
the=20
second NIC on the sensors to a second NIC on an admin server. Lock down =
the=20
admin server (disable all unnecessary services, set up iptables, etc.), =
install=20
a package like ACID on it for analysis, and secure communications to the =
server=20
using SSL for the ACID interface, and client certs authentication. It's =
a cheap=20
opensource solution.</DIV>
<DIV><SPAN=20
class=3D245085421-09022004> </DIV>
<DIV>I=20
don't allow access to the admin console from the Internet. I do, =
however, have a=20
modem on the admin server that does paging for events that require=20
attention.</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message----- From: Jake =
Rog=20
[mailto:jake...@cccllc.com] Sent: Sunday, February 08, =
2004 9:27=20
PM To: snort...@lists.sourceforge.net Subject:=20
[Snort-users] IDS Design Help </DIV>
<DIV class=3DSection1>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I will be implementing =
IDS using=20
SNORT in our company network infrastructure and would appreciate some=20
advice.  After doing research, I would like to install two IDS =
sensors –=20
1st outside EXT interface of firewall  listening to all of the =
incoming=20
traffic and 2nd outside the INT interface listening to see =
if any=20
attacks got through the firewall.  I would like to use TAPs for =
sensor=20
connection. Our current inbound Internet connection is T1 to possibly =
later be=20
upgraded to maximum of 10MB.<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">The following would be a =
logical=20
diagram.<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">[Internet] ------- =
[Firewall]=20
-------- [LAN]<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">        =20
=
        |    =
        =20
=
        |<o:p></o:p></FONT=
>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">           =
  =20
=
[IDS]           &n=
bsp; =20
[IDS]<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Please let me know if =
you have any=20
advice on the following topics:<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<OL style=3D"MARGIN-TOP: 0in" type=3D1>
<LI class=3DMsoNormal style=3D"mso-list: l0 level1 lfo1">TAPs =
– After seeing=20
what’s available on the market, I found two different =
approaches to TAPs=20
devices. 1st with single RJ45 connected directly to IDS. =
(<A=20
=
href=3D"http://www.intrusion.com/products/taps.asp">http://www.intrusion.=
com/products/taps.asp</A>),=20
2nd with dual RJ45s connected directly to IDS for full =
duplex.=20
(<A=20
=
href=3D"http://www.criticaltap.com/singletap.php">http://www.criticaltap.=
com/singletap.php</A>)=20

 How can SNORT be configured to work dual RJ45’s in the =

second example?=20
(Taps from <A =
href=3D"http://www.criticaltap.com/">www.criticaltap.com</A>)=20
<o:p></o:p>
<LI class=3DMsoNormal style=3D"mso-list: l0 level1 lfo1">EVENT =
MONITORING –=20
I am trying to figure out how to better configure the IDS NIC that =
will be=20
acting as an admin interface, where I will be connecting for event=20
information. Should I configure this interface with security to be =
accessed=20
from the Internet or should I configure this interface to be =
accessed from=20
the LAN via the firewall?<o:p></o:p>=20
<LI class=3DMsoNormal style=3D"mso-list: l0 level1 lfo1">LOGS =
– I think that=20

it would be best to configure a single server to store all the log =

files=20
from both IDS sensors instead of keeping them locally?! Also, as =
above, if=20

this is the case what route should this traffic take to access the =

log’s=20
server, that would reside on the inside network.  Also, if the =
logs are=20
located on the single logs server and not on IDS, I should not have =
to=20

access the admin interface on the IDS, =

correct?<o:p></o:p>=20
<LI class=3DMsoNormal style=3D"mso-list: l0 level1 lfo1">REPORTING – What is=20
the best way to centralize and access all event reporting? What is =
the best=20
product to accomplish this?<o:p></o:p> </LI></OL>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Please be kind to let me =
know if=20
you have a better approach to any of this or if you have any other =
comments or=20
suggestions.<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thank you very much for =
taking=20
your time to respond.<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Regards,<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Jake<o:p></o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p>
<SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></DIV></BLOCKQUOTE></BODY></HTM=
L>
=00
------_=_NextPart_001_01C3EF5A.03656BEF--

0 new messages