Re: Newbie IDS questions

From: vokeyc@aciworldwide.com
Date: 01/10/02


To: "Mike Hrubes" <MHrubes@wizmo.com>
From: vokeyc@aciworldwide.com
Date: Thu, 10 Jan 2002 10:41:27 -0600


Hi Mike, it sure is possible, but I would suggest using iptables on your
gateway box
to block portscans and filter traffic. Attached is a copy of a generic
iptables script
to help you out. Remember that a firewall is only as good as the
operating system
you run it on, so, if you use linux, make sure it's patched and running
the latest kernel
(which can be found at www.kernel.org), also turn off all the unwanted
services such as rsh,
rexec, lockd, portmap, telnet, identd, inetd, lpd, etc. by running
chkconfig.

Actualy, for an operating system / firewall / IDS, I would use FreeBSD
with ipfw and snort. With
a previous company all my linux servers on our DMZ where hacked, but none
of the FreeBSD systems
where touched. Just a thought.

Good Luck.

Cory Vokey
Systems Administrator
ACI/MessagingDirect
www.messagingdirect.com
www.aciworldwide.com

"Mike Hrubes" <MHrubes@wizmo.com>
01/09/2002 10:29 AM

 
        To: <FOCUS-IDS@SECURITYFOCUS.COM>
        cc:
        Subject: Newbie IDS questions

Hi all,

I'm new to the IDS world. I understand what an IDS does, and why you
need it, but I have some questions on the technical aspect of IDS. We
are planning on implementing an IDS in the near future. The idea that
has been proposed is to put the IDS in the path between connections,
rather than connected in promiscuous mode. The reason they want to do
this is so they can also run a blocking software, like portsentry, to
block unwanted scans, etc.

Is this even possible to do? The idea is to use a linux server running
snort. This box would have two interfaces to route the traffic through
it, scanning the signatures at the same time.

Possible/not possible? If possible, good idea/bad idea? Opinions in
general?

Thanks in advance,

Mike Hrubes






Relevant Pages

  • Re: attacks: detection and respond
    ... All these, except perl, have a reasonable size. ... the main problem with IDS systems is that attacks ... documentation provided in the operating system man pages. ... users can decide if they want or not to install it. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Migrating from Sun Solaris 8 to Sun Solaris 9
    ... The version of Informix used is IDS 9.30FC2 ... Current Environment ... Operating System: Sun Solaris 9 ... I checked the IBM site and the spreadsheet does inform that IDS 9.30FC2 is supported on Sun Solaris 9. ...
    (comp.databases.informix)
  • Re: Migrating from Sun Solaris 8 to Sun Solaris 9
    ... The version of Informix used is IDS 9.30FC2 ... Current Environment ... Operating System: Sun Solaris 9 ... I checked the IBM site and the spreadsheet does inform that IDS 9.30FC2 is supported on Sun Solaris 9. ...
    (comp.databases.informix)
  • Re: Application Domain
    ... But the operating system uses many IDs for processes, ... And the real problem is not in the memory. ... from 100 sessions for Professional and few thousands for Server, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: tools for scan detection
    ... What's an IDS? ... I use iptables to make a firewall for my Linux systems. ... Since the number of pings is out of control, I no longer log the pings, ...
    (comp.os.linux.misc)