[Dshield] Security in Layers
ed.truitt at etee2k.net
Thu Mar 25 02:41:40 GMT 2004
Graham Dodd wrote:
>I want to add another layer to our network security and would appreciate
>advice from the list.
>Our setup is Cisco Router with appropriate ACL's, Linux firewall, DMZ for
>mail server (running 2 x AV and SA), and webshop, and our internal network.
>I would like to put a "box" on the internal network to watch for any
>unauthorized activity, either someone who got through the outside, or a
>worm doing it's dirty work from the inside.
>My preference would be a Linux computer, but my main problem is I don't know
>what software to run to provide the best detection. I don't want to start a
>"mine is better than yours war" I would just like your experiences and
>Thank you for any assistance,
Well, what I have on my home network (a /28 network behind a DSL router)
is a box running a combination of a LaBrea tarpit and a Snort IDS. The
thing is actually sitting on a hub behind the router, so I can monitor
all the traffic on the "internal" network without having to do strange
things to make the IDS see all the ports on a switch. The IDS lets me
see what is going on (probes etc.) on my side of the router (which has
very few ACLs active, as they tend to cause the router to go comatose
quickly), and the tarpit sucks 'em in and holds 'em (worms etc.) ALL
machines on that segment have firewall s/w installed. I also have a
Wireless AP/router with a 4-port hub, for "workstation" class systems.
I do have some ACLs on that one, and the systems behind it may / may not
be running firewall s/w (depends on the box.)
Note I didn't specify an OS. Both LaBrea and Snort will run on Windows,
Linux, FreeBSD, or other flavors of *nix. Don't know about OS/X. If
you are going to run this combo on Windows, I would strongly suggest you
avoid 95, 98, ME - run it on W2K (Pro or Server) or XP (preferably Pro)
or W2K3 Server.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
More information about the list