[oclug] snort and IDS stuff
b stephen harding
dk983 at ncf.ca
Thu Jun 26 08:11:15 EDT 2003
On Thu, 26 Jun 2003 07:13:35 -0400 (EDT)
Bill Strosberg <bill at strosberg.com> wrote:
> On Wed, 25 Jun 2003, b stephen harding wrote:
> > got a question regarding the use of snort, tripwire, and IDS in
> > general.
> > Where is the proper placement for these programs? Like do I
> > install
> > them on my SME server and monitor it and the rest of the network
> > from there or would it be better to run it from my desktop box and
> > monitor the SME and other boxes from there?
> > My purpose is to do general monitoring of the overall home network,
> > not really interest at this date for paranoid security monitoring.
> Hi Bruce!
> IDS boxes are usually located either outside the firewall and/or
> inside the firewall - they are not generally installed on the
> firewall. AN IDS in and of itself does not provide any protection -
> rather it provides a warning of attacks in progress or a log of attcks
> that have taken place.
> An IDS inside the firewall will let you know if you rfirewall is
> working - it shouldn't detect anything if the firewall is properly
> configured and no one inside the perimeter is misbehaving. This can
> give you some degree of assurance the firewall is doing it's job.
> An IDS outside the firewall can provide warnings of attacks in
> progress and can be used to proactively assist in firewall
> configuration - automatically blocking IP addresses that scan you etc.
> Which is better? This debate has run on in vi/Emacs fashion for a
> long time. In client sites that warrant it - I like to deploy both -
> and compare logs via a syslog server.
Thanks for this bill. I don't want to get to over the top here, just
looking to monitor the home network. A syslog server would seem to be a
bit much, I'm assuming that would require an additional separate
computer. I will start with snort and go from there... This is as much
a learning experience, as a real need for extra vigilance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20030626/2abcdb5e/attachment.bin
More information about the OCLUG