Results 1 to 9 of 9

Thread: How should I setup my network ?

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    25

    Question How should I setup my network ?

    I just recently switched over to a wireless network at my house. Before this, I was running redhat 7 as a masquerading server (running snort) and had a windows 2k system behind that.

    Currently, however, the wireless router is acting as both the masquerading server and the firewall, with the Win2k and RH server behind the router. The problem I am having is that I want to run snort in a DMZ, but I don't want to purchase another IP address to have this thing outside my router. Short of getting another IP address, what is the best way to setup my network so that I can have Redhat run an IDS, analzing data from the Internet (not my internal network)

    Any input is appricated!

    -Scott

  2. #2
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    On your router you should have the option to set one of the internal IP addresses to the DMZ. If not, get a better router . You should be able to consult your documentation on how to step by step set up a box on the dmz by http'ing to your router. Should not be too dificult.

    If you don't have this option in your router another option would be to turn on port forwarding to your redhat box and just apply it to all ports (0-65535) tcp/udp, that should work good enough.

    We would be able to help more specifically if you told us specifically what wireless router you purchased, or are using.

  3. #3
    The3ntropy is correct - I'm assuming that you've probably got a Linksys, DLink, etc wireless router for your setup. You should be able to enter the router's setup via a web browser - just enter the IP address (internal) of the router into your browser, type the passwords, you should be in. From that point, at least from all of these setups I've seen, you can specify an internal host (Ex: 192.168.1.150) to be in the DMZ - this will save you from purchasing another IP address..
    - Maverick

  4. #4
    Junior Member
    Join Date
    Jul 2002
    Posts
    25
    This is why I love AntiOnline - it's an invaluable source of information.

    I was able to find the DMZ host option, and am soo excited to start using snort again! Thanks again for your comments!

    -Scott

  5. #5
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    We are, as always, glad to help. And also glad that it worked with few or no problems.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    This really has nothing to do with the router. The best way to do what you are trying to do, is to use a hub (not a switch) outside your router. You can then put a second interface in your IDS (Snort BOX) and set the second interface to promiscuous mode. Connect this interface into the hub (outside the router). If there is no TCP stack on the outside interface, you don't have to worry about it from a security perspective. The active interface resides on your trusted segment, so the box can be used as normal...

    DO NOT use any type of DMZ setting on any SOHO type device. All this does is set up port forwarding to your machine. While this technically would probably work, you are exposing everything on your network if the virtual DMZ host is compromised.

  7. #7
    Junior Member
    Join Date
    Jul 2002
    Posts
    25
    I'm not sure I understand the phrase 'outside the router'. How would I setup the hub outside the router?

    -smartin

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    The way it needs to be set up is as follows (assuming you are using DSL or Cable):

    INTERNET----->DSL/CABLE MODEM----->HUB----->WIRELESS ROUTER----->LAN

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    If your AP supports MAC filtering/locking I suggest you use it, since you do not appear to have a router between your internal LAN and WLAN in your setup.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •