Solved

Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

Posted on 2007-04-07
2
2,032 Views
Last Modified: 2013-11-29
Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.

 

Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:

 

Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.

 

The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...

 

The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.

 

Ok, here’s the setup / lab of a regular small business environment:

 

Internet à Firewall/Router à Switch/Hub à Bunch of computers

 

The IDS/Sniffer computer:

Windows 2003 or Windows XP based

1 NIC

1.2 GHz

512MB RAM

80GB Hard Drive

52X CD-ROM Drive

 

Here’s what we installed for the IDS:

Snort 2.6, www.snort.org

Ethereal 0.9, www.ethereal.com

WinPcap 3.0 (Comes with www.ethereal.com)

EagleX 2.1, www.engagesecurity.com

 

Snort 2.6 = Intrusion Detection System

Ethereal 0.9 = Packet Sniffer and analyzer

WinPcap 3.0 = Needed to run Snort and Ethereal

EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4

 

Where to install the IDS/Sniffer computer? Here it is:

 

Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers

 

Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?

 

The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?

 

Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:

 

Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers

 

That way, you’ll capture internal network traffic too.

 

Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.

 

Sincerely yours,

 

Kevin

Small Business IT Consultant

Kevin@econsynergy.com

 
0
Comment
Question by:nakedconsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:nakedconsulting
ID: 18871243
PS Alternatively, you can also use a pre-installed linux distribution: http://www.networksecuritytoolkit.org/nst/index.html. Thanks!

0
 
LVL 18

Accepted Solution

by:
PowerIT earned 50 total points
ID: 18871910
Nice idea. I think you have this nailed for very small businesses.
I have the following remarks:
- If the firewall/router has no built in hub but a real switch and internally there is also a switch, then you can put an additional hub between the firewall and internal network. Plug in the sensor / IDS right there.
- If you want to capture the internal traffic and a switch is being used, you'll need an additional NIC in the IDS and set the switch to mirror it's traffic to the port on which you connected the second NIC. You'll need a switch that can handle this. Mind you, internal traffic can be overwhelming. The mirror port can also drop packets, but not that much in a SOHO environment. In any case, don't continuously monitor internal traffic. Only when really needed.
- For the above reason, in a full 'hub-network' you would see all that traffic. Consider replacing the hub with a switch. Even managed swithes (supporting port mirroring) are available at a very low price these days. Some smart switches (not fully managed) can do this. By hearth I know that Netgear and Linksys have that ability in some of their entry level switches.
- You could consider adding a sensor BEFORE the firewall, so that you can see all attacks coming from the internet. Not just what passed the firewall.
- You did not mention setting this up as a stealth host. This means that an attacker could potentially take over the IDS and hide his tracks.
- Ethereal is now wireshark: www.wireshark.org

My biggest concern is: how are small business going to manage this. They usually don't have the knowledge or manpower to correctly interpret all the possible detections and alarms. This means that somehow you would need the possibility to centrally manage this for your clients. Have you considered this?

BTW, don't ask to be emailed directly about EE stuff. EE is for exchanging ideas and sollutions. Those get lost with email.

J.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question