RE: "Another" Newbie IDS Question

From: McCammon, Keith (
Date: 10/03/01

Message-ID: <>
From: "McCammon, Keith" <>
To: 'netsecurity' <>,
Subject: RE: "Another" Newbie IDS Question
Date: Wed, 3 Oct 2001 11:36:55 -0400 

This can go any number of ways, depending on what you're interested in
seeing. I prefer to place one in front and one behind my firewall. The one
in front serves as a sort of early warning system, and is invaluable when
dealing with a Nimda, CodeRed, etc. You can place a switch between the
router and the firewall, and hang a promiscuous interface off of off a
monitoring port.

The one behind the firewall can be tailored to look for much more specific
signatures, because you have an increased level of control of over the
traffic on your internal network. You can obviously use a number of
interfaces and monitoring points (just after firewall, just before DMX,
etc.), depending on 1) sensitivity of data, 2) general interest, or 3) your
level of paranoia.



-----Original Message-----
From: netsecurity []
Sent: Wednesday, October 03, 2001 10:08 AM
Subject: "Another" Newbie IDS Question

I run a "mostly NT network with the usual mix of workstations (NT, 98
& 2000). I want to put some form of IDS (Snort?) with a remote logging
daemon in place preferably using a Linux (Mandrake 8.0) I have. Any
pointers on how, what or wherefore?

A crude drawing of my network as follows:

CISCO Router
Checkpoint FW (NT4)
3Com Switch
    -->Hub 1 ----> LAN
    -->Hub 2 ----> DMZ

Allen Taylor
The DURA Companies
Indianapolis, IN

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution
or copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact