• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2048
  • Last Modified:

Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

Caution: If I’m incorrect in anyway on the information provided, please correct me, I’ll sincerely appreciate it.


Over the last six months I have been researching about employing an Intrusion Detection System, and this is the results:


Most security orientated companies sell hardware appliances for this purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices range from $400 – thousands. For a small business or home office, that’s a pretty steep price.


The alternative is using FREE, open-source software such as Snort, Ethereal, and Nessus. Read more about them on snort.org, ethereal.com...


The reason why I’m writing and posting this is because I have not found an easy to understand instruction on the internet, newsgroup, and even expert-exchange.com! This is for the network administrator who has a low budget and high on security needs.


Ok, here’s the setup / lab of a regular small business environment:


Internet à Firewall/Router à Switch/Hub à Bunch of computers


The IDS/Sniffer computer:

Windows 2003 or Windows XP based


1.2 GHz


80GB Hard Drive

52X CD-ROM Drive


Here’s what we installed for the IDS:

Snort 2.6, www.snort.org

Ethereal 0.9, www.ethereal.com

WinPcap 3.0 (Comes with www.ethereal.com)

EagleX 2.1, www.engagesecurity.com


Snort 2.6 = Intrusion Detection System

Ethereal 0.9 = Packet Sniffer and analyzer

WinPcap 3.0 = Needed to run Snort and Ethereal

EagleX 2.1 = Pre-config software for Snort, also comes with GUI Interface known as IDS 1.1 RC4


Where to install the IDS/Sniffer computer? Here it is:


Internet à Firewall/Router (INSTALL IT HERE) à Switch/Hub à Bunch of computers


Ok, so your firewall/router will have two cables going out, one to the switch/hub, one to the IDS/Sniffer computer. Why?


The reason is this, since most small businesses with more than 5 computers will probably use a switch since is smart than a hub. A hub broadcast every packet it receives whereas switch usually has a smarter routing capability. In order for packets to be captured, it has to be broadcasted on the hub. Believe it or not, most small business’ router/firewall acts as a hub unless is specially designed to be a router/firewall/switch. By employing on the router/firewall, it’ll capture every packet that comes through your firewall and going out too (Not sure about this one yet)?


Alternatively, if you use a hub to connect all your computers, you can employ it there, so it’ll be:


Internet à Firewall/Router à Hub (INSTALL IT HERE) à Bunch of computers


That way, you’ll capture internal network traffic too.


Hope this helps. Please feel free to e-mail me directly with any questions, Kevin@econsynergy.com.


Sincerely yours,



Small Business IT Consultant


1 Solution
nakedconsultingAuthor Commented:
PS Alternatively, you can also use a pre-installed linux distribution: http://www.networksecuritytoolkit.org/nst/index.html. Thanks!

Nice idea. I think you have this nailed for very small businesses.
I have the following remarks:
- If the firewall/router has no built in hub but a real switch and internally there is also a switch, then you can put an additional hub between the firewall and internal network. Plug in the sensor / IDS right there.
- If you want to capture the internal traffic and a switch is being used, you'll need an additional NIC in the IDS and set the switch to mirror it's traffic to the port on which you connected the second NIC. You'll need a switch that can handle this. Mind you, internal traffic can be overwhelming. The mirror port can also drop packets, but not that much in a SOHO environment. In any case, don't continuously monitor internal traffic. Only when really needed.
- For the above reason, in a full 'hub-network' you would see all that traffic. Consider replacing the hub with a switch. Even managed swithes (supporting port mirroring) are available at a very low price these days. Some smart switches (not fully managed) can do this. By hearth I know that Netgear and Linksys have that ability in some of their entry level switches.
- You could consider adding a sensor BEFORE the firewall, so that you can see all attacks coming from the internet. Not just what passed the firewall.
- You did not mention setting this up as a stealth host. This means that an attacker could potentially take over the IDS and hide his tracks.
- Ethereal is now wireshark: www.wireshark.org

My biggest concern is: how are small business going to manage this. They usually don't have the knowledge or manpower to correctly interpret all the possible detections and alarms. This means that somehow you would need the possibility to centrally manage this for your clients. Have you considered this?

BTW, don't ask to be emailed directly about EE stuff. EE is for exchanging ideas and sollutions. Those get lost with email.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now