Results 1 to 5 of 5

Thread: IDS on firewall?

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    Question IDS on firewall?

    Hi,

    I'll soon (hopefully!: the current security arrangment is HORRIBLE), a 3 legged firewall (ie: with a DMZ) and I was wondering if there would be anything wrong to setting up snort on the firewall itself (the internal network is switched and DMZ will most likely be too...)?

    Follow up on that would be how much processing power would be necessary for that firewall (OpenBSD 3.0 with pf) running snort and serving arround a 100 hosts maximum (average would probably be 35 outgoing connections at a time) ?

    Other setup suggestions appreciated too...

    Ammo

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    hmmm...

    On a switched network (with any products from the "Big Players" )you should be able to select at least one port on the switch to recieve a copy of all traffic, that way you can run a packet sniffer/IDS like snort.

    I am not sure how much luck you would have running your IDS on the firewall. I played with snort once, running on a box running ipchains(or was it tables... I forget) with a locked down ruleset, and I had a lot of trouble with it. The firewall rules seemed to be blocking all the traffic that I wanted to look at. I didnt play with it for long, I simply wiped the machine and reinstalled the OS, then put snort on it, and removed the IP address from the interface which was attached to the network, so it wasnt available to anyone on the internet.


    My guess is, that since snort wants to put the interface into promiscuos mode, it doesnt enjoy being on a firewall, because the purpose of the firewall is to prevent traffic from passing to applications behind it.

    I would think your best bet would be to figure out how to span the ports on your Switches...

    Good luck,

    IchNiSan

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Or use a hub on the uplink port (or an optical splitter for fiber) to capture. I tend to not like to use the port mirroring capabilities of most switches cause depending on the amount of traffic that can cause problems.

    I wouldn't recommend using your firewall/IDS on the same box.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Junior Member
    Join Date
    Mar 2002
    Posts
    3
    try downloading IDServe from the web

  5. #5
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Banana> IDServe has absoutely NOTHING to do with this thread. What is your infatuation with GRC programs? Please, learn what they are before you recomend them.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •