Results 1 to 10 of 10

Thread: Firewall/IDS Monowall and Snort?

  1. #1
    Member
    Join Date
    Apr 2002
    Posts
    52

    Firewall/IDS Monowall and Snort?

    Okay, here is the deal... I'm wanting to setup a firewall at home and incorporate an IDS such as snort. I'm considering using m0n0wall but it looks like I would have to install my IDS on a seperate machine as oposed to say IPcop which would allow me to install snort. Is this because IPcop is linux based and m0n0wall is BSD? I would prefer to have one system doing both jobs, that I can log into remotely. I have never configured IPtables or IFwhatchamacallit on BSD, nor have I run monowall or IPcop before. I am also running a wireless router. So what would be the ideal setup?

    A) [DSLMODEM] ---> [m0n0wall] ---> [IDS] ---> [Wireless Router]


    B) [DSLMODEM] ---> [IPcop w/snort] ---> [Wireless Router]

    or

    C) [DSLMODEM] ---> [m0n0wall] ---> [Wireless Router] ---> [IDSbox w/Airsnort]

    or am I way off here?

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    OK... here is an easy way to do the job....
    use www.ipcop.org as the IDS Box
    and I do it this way for extra
    protection and and best security....


    DSL Modem -->Wireless Router -->IP Cop Box
    Install Open VPN on the box and Bingo you have security
    for your wireless
    and add this one line into the OpenVPN Client

    redirect-gateway

    Bingo... no matter what happens on the wireless side
    you are secured...

    http://www.ipcop.org
    http://www.zerina.de/
    http://firewalladdons.sourceforge.net/


    PS: You can use the 3 NIC instead of the 2 NIC and
    use a WAP instead of Wireless router.
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  3. #3
    Member
    Join Date
    Apr 2002
    Posts
    52
    Thanks for the idea! What I'm a little confused about is how the box can act as a firewall from inside the network. If the box is attatched to the wireless router I can see how it will act as an IDS but how is it going to filter traffic? Wont the traffic just go from Computer -> Router -> DSLmodem without touching traffic that isnt destined for the firewall box? Or do I setup the router to forward the traffic through the firewall?

  4. #4
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    or

    DSL Modem > IPCop or Smoothwall > Wireless Router > PC

    I would guess it depends on which side of the router you want your Firewall and IDS, probably pros and cons to both. Regardless, they are only some of the layers of a multi-layered program.

    cheers
    Connection refused, try again later.

  5. #5
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    A) [DSLMODEM] ---> [m0n0wall] ---> [IDS] ---> [Wireless Router]


    B) [DSLMODEM] ---> [IPcop w/snort] ---> [Wireless Router]

    or

    C) [DSLMODEM] ---> [m0n0wall] ---> [Wireless Router] ---> [IDSbox w/Airsnort]

    or am I way off here?
    I would recommend using a different type of network 'architecture.'

  6. #6
    Member
    Join Date
    Apr 2002
    Posts
    52
    Originally posted here by Computernerd22
    I would recommend using a different type of network 'architecture.'
    Such as...?

  7. #7
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    Okay, here is the deal... I'm wanting to setup a firewall at home

    and incorporate an IDS such as snort. I'm considering using m0n0wall but it

    looks like I would have to install my IDS on a seperate machine as oposed

    to say IPcop which would allow me to install snort. Is this because IPcop

    is linux based and m0n0wall is BSD? I would prefer to have one system doing

    both jobs, that I can log into remotely. I have never configured IPtables

    or IFwhatchamacallit on BSD, nor have I run monowall or IPcop before. I am

    also running a wireless router. So what would be the ideal setup?
    [DSL MODEM] --> [WIRELESS ROUTER] ---> [firewall]--->[IDS] --> [PC1]--->

    [PC2]--->



    DSL modem to wireless router. Firewall is 'configured' properly, IDS is

    setup to monitor incomming/outgoing packets (SCTP, TCP, UDP, ICMP,

    ARP,OSPF, GRE, NetBIOS,IPX VINES, ETC...)

    point is, if configured correctly, theres nothing passing through the

    application thats going to be 'undetected'. (unless you do some type of DoS

    attack on the IDS its self and make it completely unstable).Even then, most

    IDS systems have a down system(sensor/trigger) to alarm the adminstrators.

  8. #8
    Member
    Join Date
    Apr 2002
    Posts
    52
    Originally posted here by Computernerd22
    [DSL MODEM] --> [WIRELESS ROUTER] ---> [firewall]--->[IDS] --> [PC1]--->

    [PC2]--->


    I realize it would be ideal to have the IDS on a seperate system but I am trying to be space effecient and dont want to use more computers then I have to. Is the advantage of having a seperate box for the IDS great enough to justify bringing another computer home from work?

    Also, I am a bit confused by your architecture. If my firewall is inside the wireless network how does it filter traffic? Wont the traffic of the computers never touch firewall unless I am, forwarding the traffic through it? It looks like you have to traffic going from the wireless router to the firewall and IDS and then directly to the PC's. Wouldnt that require me to have a NIC for each PC inside my IDS?

    Any help would be MUCH apreciated... I'm really looking forward to setting this up!

  9. #9
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    Liquid,

    In the examples you are seeing where the firewall is falling after the wireless is because of some of the security minded. Wireless is an easy target. So what you are seeing is if your wireless gets hacked[Ex1], someone would have complete access to your internal network and never worry about your firewall. But on the same point if you are using wireless[Ex2], the only protection you have is your router. Its kind of a catch 22 situation. You could set it up so that if you are using wireless you have to authenticate to get connected to your network. i cant think of the name of the apps off hand that allow you to do that. Or you could setup 2 firewalls. Or trust that the method you use to lockdown your wireless will be secure enough to not worry about it being within your network.

    [Ex1]

    [DSL MODEM] --> [firewall]---> [WIRELESS ROUTER]--->[IDS] -->[Intranet]
    | -[HACKED WIRELESS]
    ---> [IDS (sees traffic)]-->[Intranet (already in network though)]

    [Xx2]

    [DSL MODEM] --> [WIRELESS ROUTER] ---> [firewall]--->[IDS] -->[Intranet]
    |
    --Any traffic through here skips firewall and passes through DSL Modem (but if hacked there is no access to network)
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  10. #10
    Member
    Join Date
    Apr 2002
    Posts
    52
    I understand that having a wireless router is leaving an opening in my network but that can't really be avoided due to the inherent insecurity of the medium. I was assuming that if somebody connected to my network they would most likely be trying to use my internet as well, hence the firewall/ids in between the router and the modem. However I do see your point in that this does not prevent them from safely targeting local machines and using a different nic/seperate internet connection. So how about this:

    [DSL] --> [IPcop/Snort] --> [Wireless Router] --> [PC1]/[PC2]/[PC3]/[IDS]

    In this scenario I am filtering traffic at the source as well as actively scanning for intrusions, then once inside the wireless network I have my workstations and a seperate IDS box for scanning inside the local wireless network. Am I missing anything?

    Also, somebody mentioned using a VPN? I've never set one up but I may as well give it a try.

    Thanks for being patient.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •