I'm running Checkpoint FW-1 NG on Redhat Linux 7.2. Everything seems to be working fine. I've also been playing around with SNORT on another machine as well. I was wondering if it would be advisable to put both products on one redhat box?
Also what is the best practice for placement of an IDS in a network?

Thanks,
B

under the traditional layered security methodology - this would be a bad idea.

putting snort behind a firewall is really what you want. dont do it on the same box. that way you are detecting everything that makes it through your firewall.

if you have a a box from http://www.onesecure.com you can put you IDS inline with your network.... The smart thing about the onesecure box is that it can also do prevention.

they say

'The OneSecure Intrusion Detection and Prevention (IDP™) system effectively secures your network'

This is an intel server style box with multiple nic's.. The core software is built by a break away group of FW1 engineers and can import your objects from FW1. due to the fact it can run inline its a true 2gen IDS system...

and no i don't work for them ;-)

I definately would not recommend both on the same box. First of all, an IDS probe should be in promiscuous mode on the network meaning that there is no TCP/IP stack bound to the monitoring interface so the IDS cannot be detected. We all know that a firewall will not work very well without TCP/IP, so this is not possible, and is one reason why i don't think it is a good idea.

This setup also does not allow you much flexibility because you really cannot choose which traffic you want to monitor by strategic placement of the sensor on the network. Let the firewall be a firewall, and let your IDS be your IDS....don't try to combine them.

Hey thanks for all the advice! I appreciate all the help! I might put an IDS inside and outside of the Firewall. I have a decent little test environment to run this on. So thanks again fort the help!

Yeah, everyone is right here. If you can get away with it, dont place the two on the same host. What happins if your host goes down? your firewall and your IDS are gone, also
what happines of someone knows your running an IDS system and tries to overload your
IDS by sending specially crafted data thats designed to trigger your IDS, it could crash, not respond, or ever fill up your disks from all the logging.

Anyway I would not recommend placing and IDS ont he same box of the Firewall. If you dont
have the money or the hardware, then go with the Firewall and configure TCP Wrappers
or some sort of small time IDS.

good luck

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by iNViCTuS
<snip>
First of all, an IDS probe should be in promiscuous mode on the network meaning that there is no TCP/IP stack bound to the monitoring interface so the IDS cannot be detected. We all know that a firewall will not work very well without TCP/IP, so this is not possible, and is one reason why i don't think it is a good idea.


Hmm. I can see an arguement for why it's not a good idea but it is definitely possible. Have you ever checked out IPCop? It runs both a firewall and an IDS (Snort) and does set the NIC to promiscuous mode.

This isn't a blast at you. I'm just curious as to any info you might have regarding that.

SFNative...

I was referring specifically to Checkpoint, so perhaps I phrased my comment wrong. What I should have said is it is not possible on any useful firewall. The purpose of a firewall is to act as a service gateway between a trusted and an untrusted network. If the firewall does not utilize TCP/IP, it is virtually useless. IPCop is not an enterprise level firewall nor will it ever be. While I can appreciate what they are trying to do with their product, I don't think it is really based on solid networking fundamentals.

I am not saying it is a bad product, it just doesn't compare to Checkpoint or Cisco PIX, or many others. If you look at their mission statement, it does not say anything about providing a enterprise scalable product.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by iNViCTuS
I am not saying it is a bad product, it just doesn't compare to Checkpoint or Cisco PIX, or many others. If you look at their mission statement, it does not say anything about providing a enterprise scalable product.

I hear what you're saying and I agree with that. What I'm wondering about is the comment that it doesn'use TCP/IP.

I'll admit, I'm fairly green when it comes to many aspects of security but what I'm reading here is that either the NIC is not in promiscuous mode or IPCop does not make use of TCP/IP. Neither of which, from what limited understanding I have of the product, is true. Or perhaps, more accurately, is supposed to be true.

I realize this is drifting away from the topic at hand. Sorry.

For IDS detection and prevention you could also look at using Snort and Hogwash. From my research Hogwash is a IDS prevention application built off Snort. It is designed to be placed inline and can be used with no IP support on your box limiting your risk to IP attacks.

The Hogwash web site address is http://hogwash.sourceforge.net

Hope this additional data is helpful.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Biznicchio
For IDS detection and prevention you could also look at using Snort and Hogwash. From my research Hogwash is a IDS prevention application built off Snort. It is designed to be placed inline and can be used with no IP support on your box limiting your risk to IP attacks.

The Hogwash web site address is http://hogwash.sourceforge.net

Hope this additional data is helpful.

Exactly...Hogwash is an awesome product....

An IDS without TCP/IP is perfect, and is how it should be done...