How to configure IDS in front of a firewall

I have been tasked with configuring an IDS in front of an ASA. I have never set that up before. Can you provide step by step instructions or can you point to documents that will help me achieve this?
SydNal2009Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
You probably want it first, behind the firewall. If it's in front, EVERYTHING will set it off, you want it to alarm only when it sees something getting past the FW.
Which firewall are you going to use? Does it have to be run on windows, can you use/setup linux? Linux is the one you'll see for most IDS's, I'd recommend Suricata as the IDS.
You have to put in at least 2 NIC's, one to ssh/login to and the other to sniff. You're switch should be set up to mirror or "span session" the port you need to sniff in the IDS. Have a look at Suricata's documentation: http://suricata-ids.org/docs/

IDS isn't easy to jump right into, so maybe try the Security Onion live CD so you can choose one of 3-4 IDS's you might like.
http://sourceforge.net/projects/security-onion/
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
You can place an IDS appliance in front of or behind a firewall. Each position has its benefits and drawbacks.

Placing an IDS appliance in front of a firewall allows the IDS appliance to monitor all incoming and outgoing network traffic. However, when deployed in this manner, the IDS appliance does not normally detect traffic that is internal to the network. An internal attacker taking advantage of vulnerabilities in network services would remain undetected by the external IDS appliance.

Placing an IDS appliance (a monitoring or sniffing interface) behind a firewall shields the IDS appliance from any policy violations that the firewall rejects

Installing the IDS Appliance
http://www.cisco.com/en/US/docs/security/ips/4.0/installation/guide/hwchap1.html
0
Rich RumbleSecurity SamuraiCommented:
Behind the FW is about the only choice, there are so many FP's when outside that there is no benefit to it, especially when dealing with UDP traffic.
http://blog.joelesler.net/2009/03/why-is-your-ids-outside-your-firewall_06.html
Bad idea, maybe if you're running a honeypot it's ok, but even then I can't see why.

Most IDS rules are based on direction (src/dst) so as long as you're getting the in/out of your network, it should be behind the FW.
-rich
0
btanExec ConsultantCommented:
I do agree with richrumble, behind FW is better choice - not to talk about those UTM which is hybrid type...However, it really depends on what you want to accomplish.  

In many cases users are inundated with alarms when the sensor is monitoring outside the Firewall.  Many users are constantly beiong scanned and attacked, and the IDS is constantly firing off alarms.  By placing it inside their Firewall they find out that the Firewall is doing it's job and blocking most of it, so then they only concentrate on the alarms for traffic that is actually being passed through the Firewall.
 
SO placement of the monitoring interface is really up to the user.  In some cases users have one sensor on the inside that they use on a daily basis, then have a second on the outside,  When they notice an attack on the inside then they check the outside to find out what else the attacker may have been doing that the Firewall was able to block.

Intrusion Detection FAQ: How to place IDS sensor in redundant networks?
http://www.sans.org/security-resources/idfaq/ids_redun.php
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.