Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment - Security

This is a discussion on Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment - Security ; Caution: If I'm incorrect in anyway on the information provided, please correct me, I'll sincerely appreciate it. Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results: Most security orientated ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

  1. Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

    Caution: If I'm incorrect in anyway on the information provided,
    please correct me, I'll sincerely appreciate it.



    Over the last six months I have been researching about employing an
    Intrusion Detection System, and this is the results:



    Most security orientated companies sell hardware appliances for this
    purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices
    range from $400 - thousands. For a small business or home office,
    that's a pretty steep price.



    The alternative is using FREE, open-source software such as Snort,
    Ethereal, and Nessus. Read more about them on snort.org,
    ethereal.com...



    The reason why I'm writing and posting this is because I have not
    found an easy to understand instruction on the internet, newsgroup,
    and even expert-exchange.com! This is for the network administrator
    who has a low budget and high on security needs.



    Ok, here's the setup / lab of a regular small business environment:



    Internet Firewall/Router Switch/Hub Bunch of computers



    The IDS/Sniffer computer:

    Windows 2003 or Windows XP based

    1 NIC

    1.2 GHz

    512MB RAM

    80GB Hard Drive

    52X CD-ROM Drive



    Here's what we installed for the IDS:

    Snort 2.6, www.snort.org

    Ethereal 0.9, www.ethereal.com

    WinPcap 3.0 (Comes with www.ethereal.com)

    EagleX 2.1, www.engagesecurity.com



    Snort 2.6 = Intrusion Detection System

    Ethereal 0.9 = Packet Sniffer and analyzer

    WinPcap 3.0 = Needed to run Snort and Ethereal

    EagleX 2.1 = Pre-config software for Snort, also comes with GUI
    Interface known as IDS 1.1 RC4



    Where to install the IDS/Sniffer computer? Here it is:



    Internet Firewall/Router (INSTALL IT HERE) Switch/Hub Bunch of
    computers



    Ok, so your firewall/router will have two cables going out, one to the
    switch/hub, one to the IDS/Sniffer computer. Why?



    The reason is this, since most small businesses with more than 5
    computers will probably use a switch since is smart than a hub. A hub
    broadcast every packet it receives whereas switch usually has a
    smarter routing capability. In order for packets to be captured, it
    has to be broadcasted on the hub. Believe it or not, most small
    business' router/firewall acts as a hub unless is specially designed
    to be a router/firewall/switch. By employing on the router/firewall,
    it'll capture every packet that comes through your firewall and going
    out too (Not sure about this one yet)?



    Alternatively, if you use a hub to connect all your computers, you can
    employ it there, so it'll be:



    Internet Firewall/Router Hub (INSTALL IT HERE) Bunch of
    computers



    That way, you'll capture internal network traffic too.



    Hope this helps. Please feel free to e-mail me directly with any
    questions, Kevin@econsynergy.com.



    Sincerely yours,



    Kevin

    Small Business IT Consultant

    Kevin@econsynergy.com


  2. Re: Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

    On 7 Apr 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1176000599.272094.324180@n59g2000hsh.googlegroups. com>, Kev wrote:

    >Over the last six months I have been researching about employing an
    >Intrusion Detection System, and this is the results:
    >
    >Most security orientated companies sell hardware appliances for this
    >purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices
    >range from $400 - thousands. For a small business or home office,
    >that's a pretty steep price.


    Standard manta - security is not an object, but a philosophy. One tool
    or application does not provide a silver bullet solution, and is rarely
    useful in isolation.

    >The alternative is using FREE, open-source software such as Snort,
    >Ethereal, and Nessus. Read more about them on snort.org,
    >ethereal.com...


    except that ethereal was renamed 'wireshark' about nine months ago

    >The reason why I'm writing and posting this is because I have not
    >found an easy to understand instruction on the internet, newsgroup,
    >and even expert-exchange.com! This is for the network administrator
    >who has a low budget and high on security needs.


    OK

    >The IDS/Sniffer computer:
    >
    >Windows 2003 or Windows XP based


    [compton ~]$ zgrep linux.security ../big.8.list.03.15.07.gz
    comp.os.linux.security Security and the GNU/Linux Operating System.
    [compton ~]$

    The name of this newsgroup is comp.os.linux.security - has nothing to do
    with using a toy operating system in a critical application. If that is
    the only one you know, you're probably not getting a call from a lot of
    businesses - certainly not where I work.

    >1 NIC
    >1.2 GHz
    >512MB RAM
    >80GB Hard Drive


    I suppose - the little Network General sniffer I'm using is actually a
    486 laptop, so maybe you've got a concept problem - windoze does that

    >52X CD-ROM Drive


    And exactly why do you need this?

    >Here's what we installed for the IDS:
    >
    >Snort 2.6, www.snort.org


    Snort is one of _many_ tools that might be useful, but is rarely enough
    by itself.

    >Ethereal 0.9, www.ethereal.com


    wireshark displays packet information is a colorful way for the user who
    hasn't bothered to learn the first thing about networking protocols like
    IP, TCP, UDP, and ICMP. It comes with a few Linux distributions, along
    with the original tcpdump and about 18 other packet sniffers.

    >WinPcap 3.0 (Comes with www.ethereal.com)


    That's a requirement for windoze ONLY - most Linux distributions already
    include libpcap, and it's a dependency for any packet sniffer that would
    be installed on any non-windoze box.

    >EagleX 2.1, www.engagesecurity.com


    Useless trash for the clueless

    >Internet Firewall/Router (INSTALL IT HERE) Switch/Hub Bunch of
    >computers


    Depends

    >The reason is this, since most small businesses with more than 5
    >computers will probably use a switch since is smart than a hub. A hub
    >broadcast every packet it receives whereas switch usually has a
    >smarter routing capability.


    Unless your switch has a monitor port - the better ones do, while the
    cheap stuff for the home user often does not.

    >In order for packets to be captured, it has to be broadcasted on the hub.
    >Believe it or not, most small business' router/firewall acts as a hub
    >unless is specially designed to be a router/firewall/switch. By employing
    >on the router/firewall, it'll capture every packet that comes through
    >your firewall and going out too (Not sure about this one yet)?


    Wrong. It's a lot easier to bring along a cheap hub and place this in the
    line from the switch to the router. That way, you also don't **** up the
    settings on the router - a common problem with the clueless.

    >Kevin
    >
    >Small Business IT Consultant


    You can start by checking the local community college, and seeing if they
    have networking classes - not the microsoft courses which are full of
    intentional mis-information and concept errors, but something that uses
    the W. Richard Stevens book as a textbook. As you apparently also
    don't understand what Linux is, try looking at the Linux Documentation
    Project, and read some of the HOWTOs. Some that you are unaware of are:

    272577 Mar 20 13:09 HOWTO-INDEX
    97194 Mar 20 13:09 INDEX

    85507 Aug 20 2001 Firewall-HOWTO
    42743 Nov 24 2001 Firewall-Piercing
    708351 Nov 14 2005 IP-Masquerade-HOWTO
    17605 Jul 21 2004 Masquerading-Simple-HOWTO
    203891 Sep 29 2004 NET3-4-HOWTO
    45604 Apr 18 2006 Networking-Overview-HOWTO
    22582 Feb 6 2004 Reading-List-HOWTO
    155096 Jan 23 2004 Security-HOWTO
    278012 Jul 23 2002 Security-Quickstart-HOWTO
    71626 Apr 4 2004 Unix-and-Internet-Fundamentals-HOWTO

    There is also a 'Snort-Statistics-HOWTO' that is now obsolete, but any
    search engine should find it in a few seconds.

    Before using something as complex as an IDS, you need to have _WRITTEN_
    policy in place - describing among other things what are and what is not
    acceptable use of the computers. You need to learn _something_ about
    the operating system those computers are using, and how to shut down the
    many undesirable (and horribly insecure) services that are running on
    those systems. Providing conceptual training to the users, so they have
    a tiny grasp of the fundamentals will often reduce the exposure far more
    than a conslutant coming in waving his favorite (and apparently
    misunderstood) tool that's going to save the world.

    Counting on an IDS is like sticking a few coupons from MacBurger-in-a-box
    in your wallet as your earthquake preparedness kit. Ain't gonna hack it.

    Old guy

+ Reply to Thread