Re: Newbie IDS questions
From: by way of L. Taylor Banks (dr.kaos@kaos.to)Date: 01/16/02
- Previous message: Nobuo Suketomo: "Re: Newbie IDS questions"
- Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
- Next in thread: Jason Dixon: "Re: Newbie IDS questions"
- Next in thread: Brian Wiese: "Fw: Re: Newbie IDS questions"
- Maybe reply: Brian Wiese: "Fw: Re: Newbie IDS questions"
- Reply: Jason Dixon: "Re: Newbie IDS questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: dr.kaos <dr.kaos@kaos.to>(by way of L. Taylor Banks <taylor@secretagenda.org>) Date: Wed, 16 Jan 2002 00:12:57 -0500 To: "Steve A. Tindle III" <leonexis@nuleo.org>, <MHrubes@wizmo.com>
On Saturday 12 January 2002 12:46 am, Steve A. Tindle III wrote:
> SmoothWall.org has a really great linux Firewall/router/IDS that supports
> up to three interfaces (RED outside, GREEN internal network, ORANGE DMZ).
> We've been using it for a few months now and it works great. Its a complete
> system, but the download is only 20mb for the ISO. Works on a P133 with
> 32mb ram with a good amount of speed. It also logs port scans and some
> trojan activity. Go to http://www.smoothwall.org for more info.
Several problems with Smoothwall, tho:
1> Unless you shell out bucks for the "professional" (commercial) version of
the firewall, you are limited to one external IP and port forwarding via that
IP. This severely limits one's ability to maintain multiple servers providing
the same service without putting standard services on non-standard ports
(i.e. having to tell people to go to http://someurl.com:86/)
2> Again, unless you but the commercial version you are not able to
administer policy for outbound traffic via the admin GUI, which should be a
concern for any administrator, regardless of trust in internal users (should
an attacker compromise an internal host, policies need to be in place to
prevent outbound attacks from your own network).
3> Although Snort is implemented on the GPL version, there are no
administrative facilities to add/modify/remove existing rules, nor are there
tools for customization of IDS policy (i.e. to prevent false positive port
scans from upstream DNS servers you have to manually modify the Snort config
files, which defeats the point of having a GUI-administered facility in the
first place).
4> Smoothwall does not allow blocking traffic based on matches against Snort
rules. Thus, the box will not use signature matching to eliminate malicious
packets, as I think Mike intends to do.
5> See the folowing URL for a recent security review of the product and
independent user feedback on the attitudes of the development team:
http://slashdot.org/article.pl?sid=02/01/09/2050237&mode=thread
Just my $.02
-- ./dr.kaos> > Hi all, > > > > I'm new to the IDS world. I understand what an IDS does, and why you > > need it, but I have some questions on the technical aspect of IDS. We > > are planning on implementing an IDS in the near future. The idea that > > has been proposed is to put the IDS in the path between connections, > > rather than connected in promiscuous mode. The reason they want to do > > this is so they can also run a blocking software, like portsentry, to > > block unwanted scans, etc. > > > > Is this even possible to do? The idea is to use a linux server running > > snort. This box would have two interfaces to route the traffic through > > it, scanning the signatures at the same time. > > > > Possible/not possible? If possible, good idea/bad idea? Opinions in > > general? > > > > Thanks in advance, > > > > Mike Hrubes
- Previous message: Nobuo Suketomo: "Re: Newbie IDS questions"
- Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
- Next in thread: Jason Dixon: "Re: Newbie IDS questions"
- Next in thread: Brian Wiese: "Fw: Re: Newbie IDS questions"
- Maybe reply: Brian Wiese: "Fw: Re: Newbie IDS questions"
- Reply: Jason Dixon: "Re: Newbie IDS questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
