Solved

Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

Posted on 2007-04-07
2
2,006 Views
Last Modified: 2013-11-29
Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.

 

Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:

 

Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.

 

The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...

 

The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.

 

Ok, here’s the setup / lab of a regular small business environment:

 

Internet à Firewall/Router à Switch/Hub à Bunch of computers

 

The IDS/Sniffer computer:

Windows 2003 or Windows XP based

1 NIC

1.2 GHz

512MB RAM

80GB Hard Drive

52X CD-ROM Drive

 

Here’s what we installed for the IDS:

Snort 2.6, www.snort.org

Ethereal 0.9, www.ethereal.com

WinPcap 3.0 (Comes with www.ethereal.com)

EagleX 2.1, www.engagesecurity.com

 

Snort 2.6 = Intrusion Detection System

Ethereal 0.9 = Packet Sniffer and analyzer

WinPcap 3.0 = Needed to run Snort and Ethereal

EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4

 

Where to install the IDS/Sniffer computer? Here it is:

 

Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers

 

Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?

 

The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?

 

Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:

 

Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers

 

That way, you’ll capture internal network traffic too.

 

Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.

 

Sincerely yours,

 

Kevin

Small Business IT Consultant

Kevin@econsynergy.com

 
0
Comment
Question by:nakedconsulting
2 Comments
 

Author Comment

by:nakedconsulting
Comment Utility
PS Alternatively, you can also use a pre-installed linux distribution: http://www.networksecuritytoolkit.org/nst/index.html. Thanks!

0
 
LVL 18

Accepted Solution

by:
PowerIT earned 50 total points
Comment Utility
Nice idea. I think you have this nailed for very small businesses.
I have the following remarks:
- If the firewall/router has no built in hub but a real switch and internally there is also a switch, then you can put an additional hub between the firewall and internal network. Plug in the sensor / IDS right there.
- If you want to capture the internal traffic and a switch is being used, you'll need an additional NIC in the IDS and set the switch to mirror it's traffic to the port on which you connected the second NIC. You'll need a switch that can handle this. Mind you, internal traffic can be overwhelming. The mirror port can also drop packets, but not that much in a SOHO environment. In any case, don't continuously monitor internal traffic. Only when really needed.
- For the above reason, in a full 'hub-network' you would see all that traffic. Consider replacing the hub with a switch. Even managed swithes (supporting port mirroring) are available at a very low price these days. Some smart switches (not fully managed) can do this. By hearth I know that Netgear and Linksys have that ability in some of their entry level switches.
- You could consider adding a sensor BEFORE the firewall, so that you can see all attacks coming from the internet. Not just what passed the firewall.
- You did not mention setting this up as a stealth host. This means that an attacker could potentially take over the IDS and hide his tracks.
- Ethereal is now wireshark: www.wireshark.org

My biggest concern is: how are small business going to manage this. They usually don't have the knowledge or manpower to correctly interpret all the possible detections and alarms. This means that somehow you would need the possibility to centrally manage this for your clients. Have you considered this?

BTW, don't ask to be emailed directly about EE stuff. EE is for exchanging ideas and sollutions. Those get lost with email.

J.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now