Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
April 8, 2007, 2:49 am
rate this thread
please correct me, I'll sincerely appreciate it.
Over the last six months I have been researching about employing an
Intrusion Detection System, and this is the results:
Most security orientated companies sell hardware appliances for this
purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices
range from $400 - thousands. For a small business or home office,
that's a pretty steep price.
The alternative is using FREE, open-source software such as Snort,
Ethereal, and Nessus. Read more about them on snort.org,
The reason why I'm writing and posting this is because I have not
found an easy to understand instruction on the internet, newsgroup,
and even expert-exchange.com! This is for the network administrator
who has a low budget and high on security needs.
Ok, here's the setup / lab of a regular small business environment:
Internet Firewall/Router Switch/Hub Bunch of computers
The IDS/Sniffer computer:
Windows 2003 or Windows XP based
80GB Hard Drive
52X CD-ROM Drive
Here's what we installed for the IDS:
Snort 2.6, www.snort.org
Ethereal 0.9, www.ethereal.com
WinPcap 3.0 (Comes with www.ethereal.com)
EagleX 2.1, www.engagesecurity.com
Snort 2.6 = Intrusion Detection System
Ethereal 0.9 = Packet Sniffer and analyzer
WinPcap 3.0 = Needed to run Snort and Ethereal
EagleX 2.1 = Pre-config software for Snort, also comes with GUI
Interface known as IDS 1.1 RC4
Where to install the IDS/Sniffer computer? Here it is:
Internet Firewall/Router (INSTALL IT HERE) Switch/Hub Bunch of
Ok, so your firewall/router will have two cables going out, one to the
switch/hub, one to the IDS/Sniffer computer. Why?
The reason is this, since most small businesses with more than 5
computers will probably use a switch since is smart than a hub. A hub
broadcast every packet it receives whereas switch usually has a
smarter routing capability. In order for packets to be captured, it
has to be broadcasted on the hub. Believe it or not, most small
business' router/firewall acts as a hub unless is specially designed
to be a router/firewall/switch. By employing on the router/firewall,
it'll capture every packet that comes through your firewall and going
out too (Not sure about this one yet)?
Alternatively, if you use a hub to connect all your computers, you can
employ it there, so it'll be:
Internet Firewall/Router Hub (INSTALL IT HERE) Bunch of
That way, you'll capture internal network traffic too.
Hope this helps. Please feel free to e-mail me directly with any
Small Business IT Consultant
Re: Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment
Standard manta - security is not an object, but a philosophy. One tool
or application does not provide a silver bullet solution, and is rarely
useful in isolation.
except that ethereal was renamed 'wireshark' about nine months ago
[compton ~]$ zgrep linux.security ../big.8.list.03.15.07.gz
comp.os.linux.security Security and the GNU/Linux Operating System.
The name of this newsgroup is comp.os.linux.security - has nothing to do
with using a toy operating system in a critical application. If that is
the only one you know, you're probably not getting a call from a lot of
businesses - certainly not where I work.
I suppose - the little Network General sniffer I'm using is actually a
486 laptop, so maybe you've got a concept problem - windoze does that
And exactly why do you need this?
Snort is one of _many_ tools that might be useful, but is rarely enough
wireshark displays packet information is a colorful way for the user who
hasn't bothered to learn the first thing about networking protocols like
IP, TCP, UDP, and ICMP. It comes with a few Linux distributions, along
with the original tcpdump and about 18 other packet sniffers.
That's a requirement for windoze ONLY - most Linux distributions already
include libpcap, and it's a dependency for any packet sniffer that would
be installed on any non-windoze box.
Useless trash for the clueless
Unless your switch has a monitor port - the better ones do, while the
cheap stuff for the home user often does not.
Wrong. It's a lot easier to bring along a cheap hub and place this in the
line from the switch to the router. That way, you also don't fuck up the
settings on the router - a common problem with the clueless.
You can start by checking the local community college, and seeing if they
have networking classes - not the microsoft courses which are full of
intentional mis-information and concept errors, but something that uses
the W. Richard Stevens book as a textbook. As you apparently also
don't understand what Linux is, try looking at the Linux Documentation
Project, and read some of the HOWTOs. Some that you are unaware of are:
272577 Mar 20 13:09 HOWTO-INDEX
97194 Mar 20 13:09 INDEX
85507 Aug 20 2001 Firewall-HOWTO
42743 Nov 24 2001 Firewall-Piercing
708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
203891 Sep 29 2004 NET3-4-HOWTO
45604 Apr 18 2006 Networking-Overview-HOWTO
22582 Feb 6 2004 Reading-List-HOWTO
155096 Jan 23 2004 Security-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO
71626 Apr 4 2004 Unix-and-Internet-Fundamentals-HOWTO
There is also a 'Snort-Statistics-HOWTO' that is now obsolete, but any
search engine should find it in a few seconds.
Before using something as complex as an IDS, you need to have _WRITTEN_
policy in place - describing among other things what are and what is not
acceptable use of the computers. You need to learn _something_ about
the operating system those computers are using, and how to shut down the
many undesirable (and horribly insecure) services that are running on
those systems. Providing conceptual training to the users, so they have
a tiny grasp of the fundamentals will often reduce the exposure far more
than a conslutant coming in waving his favorite (and apparently
misunderstood) tool that's going to save the world.
Counting on an IDS is like sticking a few coupons from MacBurger-in-a-box
in your wallet as your earthquake preparedness kit. Ain't gonna hack it.
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security