+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 29
  1. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #1

    Default Probably an easy question...

    Thanks to this
    thread, I've taken a revamped interest in network security. It's always seemed to me to be one of those things that most books and courses just don't cover very well. I picked up the Hacking Exposed 4th Ed. as suggested by that book, and it seems to be exactly what I'm looking for. When taking a defensive position, I always try to go the Art of War route and know my enemy. Theory is great, but if I don't know the tricks as well as the bad guys, I'm at a serious disadvantage, and alot of authors seem to be.... reluctant to tell you how to actually break a system, and I simply don't have time to scour the web for my own reading material or figure it out myself. So the Hacking Exposed is a nice primer that seems to focus me in exactly the direction I need to go.

    Now, for my newbie question..... I'm planning on attacking my home network as a learning tool. I've always thought it was pretty secure, but I'm guessing I'm going to be enlightened on that point of view shortly. Now my question comes from the fact that, until I got hold of Hacking Exposed, I honestly had no no idea what an IDS was actually supposed to do. Now I see that it sits and sniffs packets for suspicious traffic. Ok, cool.

    Now, I obviously can't afford a hardware IDS. However, I have a little box that I can run Linux on, so snort seems to be the way I'm going to have to go. My question is basically this:

    Does the NIDS have to be running on the same box/device as the entry point to the network?

    Right now, I'm using a hardware (Cisco) router as my interface to the outside world. I've got it locked down pretty well via ACL's, and it's got the firewall/ipsec ios subset. The problem is, as I see it, is that my network is fully switched. So if I just toss snort on a linux box sitting on the network, it's not going to see the traffic.

    Now, I suppose that I could have a copy of some form of IDS software running on each host that's accessible from the outside world, but that seems to be a huge duplication of effort, and I don't see that solution scaling very well in the real world. I'd really rather not replace the cisco router with a linux box.

    Anyway, basically my question boils down to, in a real world setting, where do folks deploy an IDS? What's the most effective method for catching suspicious incoming traffic?
    Reply With Quote Quote  

  2. SS -->
  3. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #2
    No, it doesn't have to be on the entry point, but the NIDS should be on the same segment of the hosts for which you want to analyze traffic because its networkcard (running in promiscuous mode) has to pick up all the traffic. Unless it allows the use of sensors to listen to traffic in other segments as well.

    Check out the free Security+ demo video at www.cbtnuggets.com which happens to be about IDS systems.
    Reply With Quote Quote  

  4. TC
    TC is offline
    Junior Member
    Join Date
    Dec 2004
    Location
    phpBB
    Posts
    6

    Certifications
    CEH, MCSE, MCP, MCP+I
    #3
    also learn the difference between a stateful and non-stateful firewall & IDS...

    Reply With Quote Quote  

  5. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #4
    I can't vouch for how people do it in the real world. Unfortunately, I haven't been able to experience that yet.

    If I had to guess, most likely an NIDS is going to be used to catch most attacks from the outside. NIDS's can be fooled easier than host based IDS's, so if I was running a business-critical server, I would deploy a host based IDS as well.

    There are monitoring agents that can be deployed for NIDS's. I have never experimented with them, but you're right in that if you have two pc's communicating on a switch behind the NIDS, the NIDS will not see that traffic if it only monitors packets passed through it.

    Someone else may be able to help you out more.
    Reply With Quote Quote  

  6. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #5
    I stumbled across this and thought it may help you with this.

    http://freescobox.justmyhost.com/
    Reply With Quote Quote  

  7. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #6
    I attended an "anti-hacking" class at a local community college that used Hacking Exposed (http://www.hackingexposed.com/) as the text. It can be a difficult text if the instructor really don't know how to use the OSes and tools described, but I did enjoy the class.

    One of the IDS tools we used was Snort (http://www.snort.org/). It's a great free IDS with lots of users and there's many of pre-created rules to get you up and running quickly. It's a very good compliemtent to an SPI firewall that has IDS features (e.g., Cisco PIX). And Snort availble for both Windows and UNIX (Linux).
    Reply With Quote Quote  

  8. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #7
    Quote Originally Posted by Webmaster
    No, it doesn't have to be on the entry point, but the NIDS should be on the same segment of the hosts for which you want to analyze traffic because its networkcard (running in promiscuous mode) has to pick up all the traffic. Unless it allows the use of sensors to listen to traffic in other segments as well.

    Check out the free Security+ demo video at www.cbtnuggets.com which happens to be about IDS systems.
    Well, that's going to be a problem, since my switch is microsegmenting my network. Ok, so basically if I want to sniff every packet incoming to my network, it'd have to be done on the entry point.

    I wonder if it'd be possible to connect the router to a multihomed Linux box that is also connected to the switch so that the traffic has to hit the linux box before making it to the local network. I dunno if that's possible though, I dunno if I could put both nic's in the same subnet and have the *x box just pass the traffic through. I know I could just drop the network behind the linux box onto another subnet and forward the ports, but I think that'd cause issues with getting to my servers from the outside.
    Reply With Quote Quote  

  9. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #8
    Quote Originally Posted by jdmurray
    I attended an "anti-hacking" class at a local community college that used Hacking Exposed (http://www.hackingexposed.com/) as the text. It can be a difficult text if the instructor really don't know how to use the OSes and tools described, but I did enjoy the class.

    One of the IDS tools we used was Snort (http://www.snort.org/). It's a great free IDS with lots of users and there's many of pre-created rules to get you up and running quickly. It's a very good compliemtent to an SPI firewall that has IDS features (e.g., Cisco PIX). And Snort availble for both Windows and UNIX (Linux).
    Right, Snort is what I'm planning on using, I just don't know how to make it actually work properly on a switched network. I'd be running it on a Linux box, my issue is on where to position the IDS to make sure it actually gets a chance to sniff all the traffic incoming to the network.
    Reply With Quote Quote  

  10. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #9
    Quote Originally Posted by Drakonblayde
    Right, Snort is what I'm planning on using, I just don't know how to make it actually work properly on a switched network.
    You'd put it on a box that is a bottleneck into your switched network. This'd be the same place you'd put a fiirewall, but the IDS machine should be outside of any firewall.
    Reply With Quote Quote  

  11. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #10
    Drakon, check out that link I gave you.

    You may have to down your Cisco router for a bit, but it may be worth it, as you could probably set up Snort on the machine as well.
    Reply With Quote Quote  

  12. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #11
    Quote Originally Posted by jdmurray
    Quote Originally Posted by Drakonblayde
    Right, Snort is what I'm planning on using, I just don't know how to make it actually work properly on a switched network.
    You'd put it on a box that is a bottleneck into your switched network. This'd be the same place you'd put a fiirewall, but the IDS machine should be outside of any firewall.
    And that's kind of where I'm screwed. It's a cable modem connected to a Cisco router, the switch is hooked directly into the router. So the bottleneck is at my router (which is also my firewall). So I can't really put an IDS between the cable modem and the router (at least, I don't *think* I can). So my options are basically replace the router with the Linux box and let it do my firewalling and routing as well as my packet sniffing, or deploy an IDS on each host reachable from the outside so that it can sniff any suspicious traffic coming into them.
    Reply With Quote Quote  

  13. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #12
    You can't setup the Linux box with two NIC's, plug one into the switch and one into the router, then set it up to merely forward EVERYTHING it sees?
    Reply With Quote Quote  

  14. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #13
    Quote Originally Posted by /usr
    Drakon, check out that link I gave you.

    You may have to down your Cisco router for a bit, but it may be worth it, as you could probably set up Snort on the machine as well.
    Yeah, I took a look at it, and I've done that sort of setup before... it's pretty easy to turn a Linux box into a router. But with the money I paid for my 2621, I'd rather not relegate it to a junk pile hehe
    Reply With Quote Quote  

  15. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #14
    Quote Originally Posted by /usr
    You can't setup the Linux box with two NIC's, plug one into the switch and one into the router, then set it up to merely forward EVERYTHING it sees?
    See, I dunno if that's possible. If I did that, I'd have two NIC's on the same machine in the same subnet. That'd be the best possible solution, but I just don't know enough about Linux to know if it's even possible to setup a box to take traffic from one NIC and forward it out the other (I guess I want to turn my Linux box into a repeater hehe) while giving snort a chance to sniff the traffic at the same time
    Reply With Quote Quote  

  16. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #15
    Quote Originally Posted by Drakonblayde
    but I just don't know enough about Linux to know if it's even possible to setup a box to take traffic from one NIC and forward it out the other
    This is exactly what you do. You are creating a dedicated network security appliance using a Linux box as a network gateway. All your other routers, switches, etc., stay as they are.

    My very first firewall/gateway was a RedHat 6.0 box that ran masquarade and ip chains between two NICs. I had a hub on one NIC for my internal LAN and the my DSL modem in the other NIC. The only other thing this Linux box did was traffic logging and some simple IDS.
    Reply With Quote Quote  

  17. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #16
    I'm sure it's possible. You would probably have a similar setup as if you were turning it into a router, but without the computation the box would perform if it were a router. If you run snort on the same machine, just pull packets from the incoming NIC and you should be fine.


    However, how are you going to break into your network from the outside?
    Reply With Quote Quote  

  18. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #17
    Quote Originally Posted by jdmurray
    Quote Originally Posted by Drakonblayde
    but I just don't know enough about Linux to know if it's even possible to setup a box to take traffic from one NIC and forward it out the other
    This is exactly what you do. You are creating a dedicated network security appliance using a Linux box as a network gateway. All your other routers, switches, etc., stay as they are.

    My very first firewall/gateway was a RedHat 6.0 box that ran masquarade and ip chains between two NICs. I had a hub on one NIC for my internal LAN and the my DSL modem in the other NIC. The only other thing this Linux box did was traffic logging and some simple IDS.
    Ok, so I just configure both NIC's with IP's in the same subnet and turn on ipv4 forwarding? Or is it more complicated then that?

    However, how are you going to break into your network from the outside?
    I have alot of freetime at work
    Reply With Quote Quote  

  19. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #18
    Quote Originally Posted by /usr
    However, how are you going to break into your network from the outside?
    I run security scans of my home network from my machine at work. You can also request security scans from some web sites that provide the service free of charge:

    http://www.grc.com/
    http://scan.sygate.com/
    http://www.dslreports.com/scan
    Reply With Quote Quote  

  20. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #19
    Well, for those playing along with the home game...

    Ok, so it basically looks like I need to set my Linux box up as an ethernet bridge to make it a transparent part of the network. Just in case anyone else is interested in doing the same thing I am, here are the instructions I've found for setting Linux up as a bridge instead of a router.

    Now, the fun part is going to be figuring out if I can somehow get that box to send me an email alert when snort finds something since the interfaces apparently aren't supposed to have IP Addresses
    Reply With Quote Quote  

  21. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #20
    Actually, you are making a layer-3 gateway and not a layer-2 bridge.

    Snort will send you emails as incidents are detected or as periodic reports. You can also have Snort send the reports to a syslog server and have syslog send the emails.

    And each interface on the gateway will have an IP address. Only specialized NIDS that are controlled via out-of-band management (e.g., a serial port) can operate on a IP network without a layer-3 address.

    Of course, the Linux gateway will need its own protection from attacks, just as any host in a DMZ should be so hardened.
    Reply With Quote Quote  

  22. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #21
    Quote Originally Posted by jdmurray
    Actually, you are making a layer-3 gateway and not a layer-2 bridge.

    Snort will send you emails as incidents are detected or as periodic reports. You can also have Snort send the reports to a syslog server and have syslog send the emails.

    And each interface on the gateway will have an IP address. Only specialized NIDS that are controlled via out-of-band management (e.g., a serial port) can operate on a IP network without a layer-3 address.

    Of course, the Linux gateway will need its own protection from attacks, just as any host in a DMZ should be so hardened.
    Hrm, apparently the new versions of the bridging software will let me assign an IP to the virtual bridge interface, basically turning it into a managed switch, which I'm a whole lot more comfortable with. If I drop the NIC's in promiscous mode and set the bridge up with it's own IP, would that work? Or does snort require an ip on the actual interfaces?

    And if I set it up as a gateway, is assigning IP's to the NIC's and enabling IP forwarding enough?
    Reply With Quote Quote  

  23. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #22
    Quote Originally Posted by Drakonblayde
    If I drop the NIC's in promiscous mode and set the bridge up with it's own IP, would that work? Or does snort require an ip on the actual interfaces?
    Hmmm...good question. I am not familer with the Linux version of Snort. I assume snort under Linux needs IP address(es) just like it does under Windows. Check in the docs on snort.org.

    Quote Originally Posted by Drakonblayde
    And if I set it up as a gateway, is assigning IP's to the NIC's and enabling IP forwarding enough?
    Yes, exactly. All a gateway does is statically forward packets from one interface to another and provide some filtering in-between. This is a very common use of Linux boxes.
    Reply With Quote Quote  

  24. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #23
    Quote Originally Posted by jdmurray
    Quote Originally Posted by Drakonblayde
    If I drop the NIC's in promiscous mode and set the bridge up with it's own IP, would that work? Or does snort require an ip on the actual interfaces?
    Hmmm...good question. I am not familer with the Linux version of Snort. I assume snort under Linux needs IP address(es) just like it does under Windows. Check in the docs on snort.org.

    Quote Originally Posted by Drakonblayde
    And if I set it up as a gateway, is assigning IP's to the NIC's and enabling IP forwarding enough?
    Yes, exactly. All a gateway does is statically forward packets from one interface to another and provide some filtering in-between. This is a very common use of Linux boxes.
    Well hell, I'll do it that way then, alot easier than configuring a bridge hehe
    Reply With Quote Quote  

  25. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #24
    The only part I'm not sure how to do under Linux is insert Snort between the two interfaces. There must be a HOW-TO on snort.org that explains this configuration.

    When you get it all working, please post the details of your configuration here. I'm thinking about throwing together a Slackware Linux system to do the same thing.
    Reply With Quote Quote  

  26. Senior Member Drakonblayde's Avatar
    Join Date
    May 2003
    Location
    Grayson, GA
    Posts
    554

    Certifications
    CCNA, Network+, A+, MCP, MCSA
    #25
    Well I brought the system to work with me, download redhat iso's now, hopefully the install plays nice. Probably won't have it working until tomorrow though, forgot to bring the second NIC to insert into the machine
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks