[Dshield] Security in Layers

Ed Truitt ed.truitt at etee2k.net
Thu Mar 25 02:41:40 GMT 2004

Graham Dodd wrote:

>Hello all,
>I want to add another layer to our network security and would appreciate
>advice from the list.
>Our setup is Cisco Router with appropriate ACL's, Linux firewall, DMZ for
>mail server (running 2 x AV and SA), and webshop, and our internal network.
>I would like to put a "box" on the internal network to watch for any
>unauthorized activity, either someone who got through the outside, or a
>worm doing it's dirty work from the inside.
>My preference would be a Linux computer, but my main problem is I don't know
>what software to run to provide the best detection. I don't want to start a
>"mine is better than yours war" I would just like your experiences and
>working solutions.
>Thank you for any assistance,
Well, what I have on my home network (a /28 network behind a DSL router) 
is a box running a combination of a LaBrea tarpit and a Snort IDS.  The 
thing is actually sitting on a hub behind the router, so I can monitor 
all the traffic on the "internal" network without having to do strange 
things to make the IDS see all the ports on a switch.  The IDS lets me 
see what is going on (probes etc.) on my side of the router (which has  
very few ACLs active, as they tend to cause the router to go comatose 
quickly), and the tarpit sucks 'em in and holds 'em (worms etc.)  ALL 
machines on that segment have firewall s/w installed.  I also have a 
Wireless AP/router with a 4-port hub, for "workstation" class systems.  
I do have some ACLs on that one, and the systems behind it may / may not 
be running firewall s/w (depends on the box.)

Note I didn't specify an OS.  Both LaBrea and Snort will run on Windows, 
Linux, FreeBSD, or other flavors of *nix.  Don't know about OS/X.  If 
you are going to run this combo on Windows, I would strongly suggest you 
avoid 95, 98, ME - run it on W2K (Pro or Server) or XP (preferably Pro) 
or W2K3 Server.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

More information about the list mailing list