Question on IDS

SgtB · Oct 10, 2002

I'd like to place an IDS system outside my firewall. I've seen many "best practices" diagrams stating that I'd be a good idea to put an IDS on the outside, and the inside of your firewall. Now here's the question...
If you put an IDS outside your firewall, then whats protecting the IDS? How could you trust an IDS that's that vulnerable? I'm assuming there's some little trick I don't know that makes the IDS reliable/secure.

So how is it done?
Thanks!

LarryTheCucumber · Oct 15, 2002

I use SNORT for an IDS. I have the ethernet0 set as a passive interface (no IP address). There is a diagram at snort.org on how to make a cable that will only allow the IDS box to sniff the incoming/outgoing network packets but not respond to any queries on the interface. If you want you can then setup an internal interface to access the IDS from the inside. If you do this make sure that the address is hidden from the outside world.

SgtB · Oct 16, 2002

I found some info on a passive interface. Just for the record, and some info for people who may read this. Here's a link to a nice little place that shows you how to (easily) create a no-ip interface on RH Linux.

http://www.linuxjournal.com/article.php?sid=6222

Beats cutting cable! j/k

Thanks for the reply!

LarryTheCucumber · Oct 16, 2002

That is a very good article. I had to fumble my way through it with the FAQs and Howto's (but this was over 1 year ago).

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Question on IDS

SgtB

IS-IT--Management

LarryTheCucumber

MIS

SgtB

IS-IT--Management

LarryTheCucumber

MIS

Similar threads

Part and Inventory Search

Sponsor