Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.
Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:
Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.
The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...
The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.
Ok, here’s the setup / lab of a regular small business environment:
Internet à Firewall/Router à Switch/Hub à Bunch of computers
The IDS/Sniffer computer:
Windows 2003 or Windows XP based
80GB Hard Drive
52X CD-ROM Drive
Here’s what we installed for the IDS:
Snort 2.6, www.snort.org
Ethereal 0.9, www.ethereal.com
WinPcap 3.0 (Comes with www.ethereal.com
EagleX 2.1, www.engagesecurity.com
Snort 2.6 = Intrusion Detection System
Ethereal 0.9 = Packet Sniffer and analyzer
WinPcap 3.0 = Needed to run Snort and Ethereal
EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4
Where to install the IDS/Sniffer computer? Here it is:
Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers
Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?
The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?
Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:
Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers
That way, you’ll capture internal network traffic too.
Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.
Small Business IT Consultant