nakedconsulting
asked on
Windows 2003 SBS + Snort + Ethereal
How do I configure Windows 2003 Server so that it acts as an intrusion detection system behind a firewall? Where it'll let traffic flows through it while capturing the packages?
Current setup:
Windows 2003 SBS
2 NIC
No exchange
No ISA
No firewall
No DHCP (handled by our firewall)
No DNS (handled by our firewall)
Snort
Eaglex (Pre-config for snort)
Ethereal
It is important that packets are flowing through it because we have another server that handles exchange and vpn.
Please advise.
Thank you.
Current setup:
Windows 2003 SBS
2 NIC
No exchange
No ISA
No firewall
No DHCP (handled by our firewall)
No DNS (handled by our firewall)
Snort
Eaglex (Pre-config for snort)
Ethereal
It is important that packets are flowing through it because we have another server that handles exchange and vpn.
Please advise.
Thank you.
From my knowledge, all these software require to have a rfmon enabled NIC. These NIC are hard to come by and are mostly supported by *NIX systems. Windows do not support be it system nor drivers to enable it to capture all packets that it is not addressed to. Maybe you can try to use other OS for this or search the web.
ASKER
Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.
Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:
Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.
The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...
The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.
Ok, here’s the setup / lab of a regular small business environment:
Internet à Firewall/Router à Switch/Hub à Bunch of computers
The IDS/Sniffer computer:
Windows 2003 or Windows XP based
1 NIC
1.2 GHz
512MB RAM
80GB Hard Drive
52X CD-ROM Drive
Here’s what we installed for the IDS:
Snort 2.6, www.snort.org
Ethereal 0.9, www.ethereal.com
WinPcap 3.0 (Comes with www.ethereal.com)
EagleX 2.1, www.engagesecurity.com
Snort 2.6 = Intrusion Detection System
Ethereal 0.9 = Packet Sniffer and analyzer
WinPcap 3.0 = Needed to run Snort and Ethereal
EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4
Where to install the IDS/Sniffer computer? Here it is:
Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers
Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?
The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?
Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:
Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers
That way, you’ll capture internal network traffic too.
Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.
Sincerely yours,
Kevin
Small Business IT Consultant
*** E-MAIL ADDRESS REMOVED BY TechSoEasy -- EE's Microsoft Zone Advisor***
Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:
Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.
The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...
The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.
Ok, here’s the setup / lab of a regular small business environment:
Internet à Firewall/Router à Switch/Hub à Bunch of computers
The IDS/Sniffer computer:
Windows 2003 or Windows XP based
1 NIC
1.2 GHz
512MB RAM
80GB Hard Drive
52X CD-ROM Drive
Here’s what we installed for the IDS:
Snort 2.6, www.snort.org
Ethereal 0.9, www.ethereal.com
WinPcap 3.0 (Comes with www.ethereal.com)
EagleX 2.1, www.engagesecurity.com
Snort 2.6 = Intrusion Detection System
Ethereal 0.9 = Packet Sniffer and analyzer
WinPcap 3.0 = Needed to run Snort and Ethereal
EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4
Where to install the IDS/Sniffer computer? Here it is:
Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers
Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?
The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?
Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:
Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers
That way, you’ll capture internal network traffic too.
Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.
Sincerely yours,
Kevin
Small Business IT Consultant
*** E-MAIL ADDRESS REMOVED BY TechSoEasy -- EE's Microsoft Zone Advisor***
ASKER
PS Alternatively, you can also use a pre-installed linux distribution: http://www.networksecuritytoolkit.org/nst/index.html. Thanks!
Nakedconsulting,
when I mentioned above that you are using the wrong OS that is because you said (2003 SBS).
You can use (Windows 2003). Although that SBS Looks like 2003, It is not and will give you all kind of problems the way you described above. If you know your way around ISA 2004 or 2006, It is a very good Firewall and IDS and I would still suggest something else with it like "Trend Micro" if you are in a mission and security critical network. However as you mentioned before that you are looking for a low budget System, I suggest that you look toward the open source systems in the Linux family.
Debian is a very good place to start.
Good luck!
when I mentioned above that you are using the wrong OS that is because you said (2003 SBS).
You can use (Windows 2003). Although that SBS Looks like 2003, It is not and will give you all kind of problems the way you described above. If you know your way around ISA 2004 or 2006, It is a very good Firewall and IDS and I would still suggest something else with it like "Trend Micro" if you are in a mission and security critical network. However as you mentioned before that you are looking for a low budget System, I suggest that you look toward the open source systems in the Linux family.
Debian is a very good place to start.
Good luck!
Have you checked out the Window IDS setup guide from the www.winsnort.com team?
They walk you through setting a a windows box with free software to build a good IDS box.
Have a read through the guides they posted. I've set up a couple of systems using it with excellent results.
They walk you through setting a a windows box with free software to build a good IDS box.
Have a read through the guides they posted. I've set up a couple of systems using it with excellent results.
You can use sbs 2003 to do this
The RRAS (Routing and Remote Access) screen in the administrative tools menu will allow you to route traffice through the sbs box allowing it to act as an inline IDS. Since all hardware anyone cares to use today is switched (not like hubs) you will need an inline IDS at your border to catch all the traffic.
RRAS is run as part of the email and internet wizard that you usually run when you set SBS up.
Iirc within RRAS you set the box up as a very basic "firewall" that doesnt actually filter anything so that traffic will be forwarded through it. There is, of course, some addressing concerns to consider here, theres a link at the end for this.
Once you have the SBS 2003 box inline (aka in series) between your network and your firewall make sure that you can still connect to the Internet.
Then configure your IDS software of choice to start monitoring your traffic. If you already have the necessary prerequisites including up-to-date definitions/patterns this should be simple, refer to your IDS's docs.
Links:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/76/Two-Nics-a-static-IP-address-ISA-router.aspx (has a picture showing a sample address scheme)
The RRAS (Routing and Remote Access) screen in the administrative tools menu will allow you to route traffice through the sbs box allowing it to act as an inline IDS. Since all hardware anyone cares to use today is switched (not like hubs) you will need an inline IDS at your border to catch all the traffic.
RRAS is run as part of the email and internet wizard that you usually run when you set SBS up.
Iirc within RRAS you set the box up as a very basic "firewall" that doesnt actually filter anything so that traffic will be forwarded through it. There is, of course, some addressing concerns to consider here, theres a link at the end for this.
Once you have the SBS 2003 box inline (aka in series) between your network and your firewall make sure that you can still connect to the Internet.
Then configure your IDS software of choice to start monitoring your traffic. If you already have the necessary prerequisites including up-to-date definitions/patterns this should be simple, refer to your IDS's docs.
Links:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/76/Two-Nics-a-static-IP-address-ISA-router.aspx (has a picture showing a sample address scheme)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You don't.
You are using the wrong Operating System.
You cannot use an SBS 2003 as a Standard or Enterprise Server.
Vico1!