Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.

 

Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:

 

Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.

 

The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...

 

The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.

 

Ok, here’s the setup / lab of a regular small business environment:

 

Internet à Firewall/Router à Switch/Hub à Bunch of computers

 

The IDS/Sniffer computer:

Windows 2003 or Windows XP based

1 NIC

1.2 GHz

512MB RAM

80GB Hard Drive

52X CD-ROM Drive

 

Here’s what we installed for the IDS:

Snort 2.6, www.snort.org

Ethereal 0.9, www.ethereal.com

WinPcap 3.0 (Comes with www.ethereal.com)

EagleX 2.1, www.engagesecurity.com

 

Snort 2.6 = Intrusion Detection System

Ethereal 0.9 = Packet Sniffer and analyzer

WinPcap 3.0 = Needed to run Snort and Ethereal

EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4

 

Where to install the IDS/Sniffer computer? Here it is:

 

Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers

 

Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?

 

The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?

 

Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:

 

Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers

 

That way, you’ll capture internal network traffic too.

 

Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.

 

Sincerely yours,

 

Kevin

Small Business IT Consultant

Kevin@econsynergy.com

 
nakedconsultingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nakedconsultingAuthor Commented:
PS Alternatively, you can also use a pre-installed linux distribution: http://www.networksecuritytoolkit.org/nst/index.html. Thanks!

0
PowerITCommented:
Nice idea. I think you have this nailed for very small businesses.
I have the following remarks:
- If the firewall/router has no built in hub but a real switch and internally there is also a switch, then you can put an additional hub between the firewall and internal network. Plug in the sensor / IDS right there.
- If you want to capture the internal traffic and a switch is being used, you'll need an additional NIC in the IDS and set the switch to mirror it's traffic to the port on which you connected the second NIC. You'll need a switch that can handle this. Mind you, internal traffic can be overwhelming. The mirror port can also drop packets, but not that much in a SOHO environment. In any case, don't continuously monitor internal traffic. Only when really needed.
- For the above reason, in a full 'hub-network' you would see all that traffic. Consider replacing the hub with a switch. Even managed swithes (supporting port mirroring) are available at a very low price these days. Some smart switches (not fully managed) can do this. By hearth I know that Netgear and Linksys have that ability in some of their entry level switches.
- You could consider adding a sensor BEFORE the firewall, so that you can see all attacks coming from the internet. Not just what passed the firewall.
- You did not mention setting this up as a stealth host. This means that an attacker could potentially take over the IDS and hide his tracks.
- Ethereal is now wireshark: www.wireshark.org

My biggest concern is: how are small business going to manage this. They usually don't have the knowledge or manpower to correctly interpret all the possible detections and alarms. This means that somehow you would need the possibility to centrally manage this for your clients. Have you considered this?

BTW, don't ask to be emailed directly about EE stuff. EE is for exchanging ideas and sollutions. Those get lost with email.

J.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.