[oclug] snort and IDS stuff

[Bill Strosberg]

On Wed, 25 Jun 2003, b stephen harding wrote:

> got a question regarding the use of snort, tripwire, and IDS in general.
>  Where is the proper placement for these programs?  Like do I install
> them on my SME server and monitor it and the rest of the network from
> there or would it be better to run it from my desktop box and monitor
> the SME and other boxes from there?
> 
> My purpose is to do general monitoring of the overall home network, not
> really interest at this date for paranoid security monitoring.
> 
> 

Hi Bruce!

IDS boxes are usually located either outside the firewall and/or inside
the firewall - they are not generally installed on the firewall.  AN IDS
in and of itself does not provide any protection - rather it provides a
warning of attacks in progress or a log of attcks that have taken place.

An IDS inside the firewall will let you know if you rfirewall is working -
it shouldn't detect anything if the firewall is properly configured and no
one inside the perimeter is misbehaving. This can give you some degree of
assurance the firewall is doing it's job.

An IDS outside the firewall can provide warnings of attacks in progress and can be used to proactively assist in firewall
configuration - automatically blocking IP addresses that scan you etc. 

Which is better?  This debate has run on in vi/Emacs fashion for a long
time.  In client sites that warrant it - I like to deploy both - and
compare logs via a syslog server.

-- 

Bill Strosberg, CISSP
----------------------------------------- 
bill -at- strosberg -dot- com

Microsoft Slogans:

A computer on every desktop (DOS era)
Where do you want to go today? (98)
Prepare to fly (changed post 9/11 to) Yes, you can! (ME)
Software for the agile business (2000)
It just works (XP)
Doing more with less (2003)
Oops, we lied! (2004)