Re: Newbie IDS questions

From: vokeyc@aciworldwide.com
Date: 01/10/02


To: "Mike Hrubes" <MHrubes@wizmo.com>
From: vokeyc@aciworldwide.com
Date: Thu, 10 Jan 2002 10:41:27 -0600


Hi Mike, it sure is possible, but I would suggest using iptables on your
gateway box
to block portscans and filter traffic. Attached is a copy of a generic
iptables script
to help you out. Remember that a firewall is only as good as the
operating system
you run it on, so, if you use linux, make sure it's patched and running
the latest kernel
(which can be found at www.kernel.org), also turn off all the unwanted
services such as rsh,
rexec, lockd, portmap, telnet, identd, inetd, lpd, etc. by running
chkconfig.

Actualy, for an operating system / firewall / IDS, I would use FreeBSD
with ipfw and snort. With
a previous company all my linux servers on our DMZ where hacked, but none
of the FreeBSD systems
where touched. Just a thought.

Good Luck.

Cory Vokey
Systems Administrator
ACI/MessagingDirect
www.messagingdirect.com
www.aciworldwide.com

"Mike Hrubes" <MHrubes@wizmo.com>
01/09/2002 10:29 AM

 
        To: <FOCUS-IDS@SECURITYFOCUS.COM>
        cc:
        Subject: Newbie IDS questions

Hi all,

I'm new to the IDS world. I understand what an IDS does, and why you
need it, but I have some questions on the technical aspect of IDS. We
are planning on implementing an IDS in the near future. The idea that
has been proposed is to put the IDS in the path between connections,
rather than connected in promiscuous mode. The reason they want to do
this is so they can also run a blocking software, like portsentry, to
block unwanted scans, etc.

Is this even possible to do? The idea is to use a linux server running
snort. This box would have two interfaces to route the traffic through
it, scanning the signatures at the same time.

Possible/not possible? If possible, good idea/bad idea? Opinions in
general?

Thanks in advance,

Mike Hrubes