Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: FW + IDS on same machine?

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    177

    FW + IDS on same machine?

    I'm running Checkpoint FW-1 NG on Redhat Linux 7.2. Everything seems to be working fine. I've also been playing around with SNORT on another machine as well. I was wondering if it would be advisable to put both products on one redhat box?
    Also what is the best practice for placement of an IDS in a network?

    Thanks,
    B

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    under the traditional layered security methodology - this would be a bad idea.
    -droby10

  3. #3
    putting snort behind a firewall is really what you want. dont do it on the same box. that way you are detecting everything that makes it through your firewall.

  4. #4
    Junior Member
    Join Date
    Mar 2002
    Posts
    10
    if you have a a box from http://www.onesecure.com you can put you IDS inline with your network.... The smart thing about the onesecure box is that it can also do prevention.

    they say

    'The OneSecure Intrusion Detection and Prevention (IDP™) system effectively secures your network'

    This is an intel server style box with multiple nic's.. The core software is built by a break away group of FW1 engineers and can import your objects from FW1. due to the fact it can run inline its a true 2gen IDS system...

    and no i don't work for them ;-)

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    I definately would not recommend both on the same box. First of all, an IDS probe should be in promiscuous mode on the network meaning that there is no TCP/IP stack bound to the monitoring interface so the IDS cannot be detected. We all know that a firewall will not work very well without TCP/IP, so this is not possible, and is one reason why i don't think it is a good idea.

    This setup also does not allow you much flexibility because you really cannot choose which traffic you want to monitor by strategic placement of the sensor on the network. Let the firewall be a firewall, and let your IDS be your IDS....don't try to combine them.

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Hey thanks for all the advice! I appreciate all the help! I might put an IDS inside and outside of the Firewall. I have a decent little test environment to run this on. So thanks again fort the help!

  7. #7

    RE:

    Yeah, everyone is right here. If you can get away with it, dont place the two on the same host. What happins if your host goes down? your firewall and your IDS are gone, also
    what happines of someone knows your running an IDS system and tries to overload your
    IDS by sending specially crafted data thats designed to trigger your IDS, it could crash, not respond, or ever fill up your disks from all the logging.

    Anyway I would not recommend placing and IDS ont he same box of the Firewall. If you dont
    have the money or the hardware, then go with the Firewall and configure TCP Wrappers
    or some sort of small time IDS.

    good luck

  8. #8
    Junior Member
    Join Date
    Jul 2002
    Posts
    15
    Originally posted here by iNViCTuS
    <snip>
    First of all, an IDS probe should be in promiscuous mode on the network meaning that there is no TCP/IP stack bound to the monitoring interface so the IDS cannot be detected. We all know that a firewall will not work very well without TCP/IP, so this is not possible, and is one reason why i don't think it is a good idea.
    Hmm. I can see an arguement for why it's not a good idea but it is definitely possible. Have you ever checked out IPCop? It runs both a firewall and an IDS (Snort) and does set the NIC to promiscuous mode.

    This isn't a blast at you. I'm just curious as to any info you might have regarding that.
    SFNative
    ~ Nothing exceeds like excess ~

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    SFNative...

    I was referring specifically to Checkpoint, so perhaps I phrased my comment wrong. What I should have said is it is not possible on any useful firewall. The purpose of a firewall is to act as a service gateway between a trusted and an untrusted network. If the firewall does not utilize TCP/IP, it is virtually useless. IPCop is not an enterprise level firewall nor will it ever be. While I can appreciate what they are trying to do with their product, I don't think it is really based on solid networking fundamentals.

    I am not saying it is a bad product, it just doesn't compare to Checkpoint or Cisco PIX, or many others. If you look at their mission statement, it does not say anything about providing a enterprise scalable product.

  10. #10
    Junior Member
    Join Date
    Jul 2002
    Posts
    15
    Originally posted here by iNViCTuS
    I am not saying it is a bad product, it just doesn't compare to Checkpoint or Cisco PIX, or many others. If you look at their mission statement, it does not say anything about providing a enterprise scalable product.
    I hear what you're saying and I agree with that. What I'm wondering about is the comment that it doesn'use TCP/IP.

    I'll admit, I'm fairly green when it comes to many aspects of security but what I'm reading here is that either the NIC is not in promiscuous mode or IPCop does not make use of TCP/IP. Neither of which, from what limited understanding I have of the product, is true. Or perhaps, more accurately, is supposed to be true.

    I realize this is drifting away from the topic at hand. Sorry.
    SFNative
    ~ Nothing exceeds like excess ~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •