Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.

 

Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:

 

Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.

 

The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...

 

The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.

 

Ok, here’s the setup / lab of a regular small business environment:

 

Internet à Firewall/Router à Switch/Hub à Bunch of computers

 

The IDS/Sniffer computer:

Windows 2003 or Windows XP based

1 NIC

1.2 GHz

512MB RAM

80GB Hard Drive

52X CD-ROM Drive

 

Here’s what we installed for the IDS:

Snort 2.6, www.snort.org

Ethereal 0.9, www.ethereal.com

WinPcap 3.0 (Comes with www.ethereal.com)

EagleX 2.1, www.engagesecurity.com

 

Snort 2.6 = Intrusion Detection System

Ethereal 0.9 = Packet Sniffer and analyzer

WinPcap 3.0 = Needed to run Snort and Ethereal

EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4

 

Where to install the IDS/Sniffer computer? Here it is:

 

Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers

 

Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?

 

The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?

 

Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:

 

Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers

 

That way, you’ll capture internal network traffic too.

 

Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.

 

Sincerely yours,

 

Kevin

Small Business IT Consultant

Kevin@econsynergy.com

 
Start Free Trial