Probably an easy question...

Thanks to this
thread, I've taken a revamped interest in network security. It's always seemed to me to be one of those things that most books and courses just don't cover very well. I picked up the Hacking Exposed 4th Ed. as suggested by that book, and it seems to be exactly what I'm looking for. When taking a defensive position, I always try to go the Art of War route and know my enemy. Theory is great, but if I don't know the tricks as well as the bad guys, I'm at a serious disadvantage, and alot of authors seem to be.... reluctant to tell you how to actually break a system, and I simply don't have time to scour the web for my own reading material or figure it out myself. So the Hacking Exposed is a nice primer that seems to focus me in exactly the direction I need to go.

Now, for my newbie question..... I'm planning on attacking my home network as a learning tool. I've always thought it was pretty secure, but I'm guessing I'm going to be enlightened on that point of view shortly. Now my question comes from the fact that, until I got hold of Hacking Exposed, I honestly had no no idea what an IDS was actually supposed to do. Now I see that it sits and sniffs packets for suspicious traffic. Ok, cool.

Now, I obviously can't afford a hardware IDS. However, I have a little box that I can run Linux on, so snort seems to be the way I'm going to have to go. My question is basically this:

Does the NIDS have to be running on the same box/device as the entry point to the network?

Right now, I'm using a hardware (Cisco) router as my interface to the outside world. I've got it locked down pretty well via ACL's, and it's got the firewall/ipsec ios subset. The problem is, as I see it, is that my network is fully switched. So if I just toss snort on a linux box sitting on the network, it's not going to see the traffic.

Now, I suppose that I could have a copy of some form of IDS software running on each host that's accessible from the outside world, but that seems to be a huge duplication of effort, and I don't see that solution scaling very well in the real world. I'd really rather not replace the cisco router with a linux box.

Anyway, basically my question boils down to, in a real world setting, where do folks deploy an IDS? What's the most effective method for catching suspicious incoming traffic?

Find more posts tagged with

Comments

Webmaster

No, it doesn't have to be on the entry point, but the NIDS should be on the same segment of the hosts for which you want to analyze traffic because its networkcard (running in promiscuous mode) has to pick up all the traffic. Unless it allows the use of sensors to listen to traffic in other segments as well.

Check out the free Security+ demo video at www.cbtnuggets.com which happens to be about IDS systems.

also learn the difference between a stateful and non-stateful firewall & IDS...

/usr

I can't vouch for how people do it in the real world. Unfortunately, I haven't been able to experience that yet.

If I had to guess, most likely an NIDS is going to be used to catch most attacks from the outside. NIDS's can be fooled easier than host based IDS's, so if I was running a business-critical server, I would deploy a host based IDS as well.

There are monitoring agents that can be deployed for NIDS's. I have never experimented with them, but you're right in that if you have two pc's communicating on a switch behind the NIDS, the NIDS will not see that traffic if it only monitors packets passed through it.

Someone else may be able to help you out more.

/usr

I stumbled across this and thought it may help you with this.

http://freescobox.justmyhost.com/

JDMurray

I attended an "anti-hacking" class at a local community college that used Hacking Exposed (http://www.hackingexposed.com/) as the text. It can be a difficult text if the instructor really don't know how to use the OSes and tools described, but I did enjoy the class.

One of the IDS tools we used was Snort (http://www.snort.org/). It's a great free IDS with lots of users and there's many of pre-created rules to get you up and running quickly. It's a very good compliemtent to an SPI firewall that has IDS features (e.g., Cisco PIX). And Snort availble for both Windows and UNIX (Linux).

Drakonblayde

Webmaster wrote:

No, it doesn't have to be on the entry point, but the NIDS should be on the same segment of the hosts for which you want to analyze traffic because its networkcard (running in promiscuous mode) has to pick up all the traffic. Unless it allows the use of sensors to listen to traffic in other segments as well.

Check out the free Security+ demo video at www.cbtnuggets.com which happens to be about IDS systems.

Well, that's going to be a problem, since my switch is microsegmenting my network. Ok, so basically if I want to sniff every packet incoming to my network, it'd have to be done on the entry point.

I wonder if it'd be possible to connect the router to a multihomed Linux box that is also connected to the switch so that the traffic has to hit the linux box before making it to the local network. I dunno if that's possible though, I dunno if I could put both nic's in the same subnet and have the *x box just pass the traffic through. I know I could just drop the network behind the linux box onto another subnet and forward the ports, but I think that'd cause issues with getting to my servers from the outside.

Drakonblayde

jdmurray wrote:

I attended an "anti-hacking" class at a local community college that used Hacking Exposed (http://www.hackingexposed.com/) as the text. It can be a difficult text if the instructor really don't know how to use the OSes and tools described, but I did enjoy the class.

One of the IDS tools we used was Snort (http://www.snort.org/). It's a great free IDS with lots of users and there's many of pre-created rules to get you up and running quickly. It's a very good compliemtent to an SPI firewall that has IDS features (e.g., Cisco PIX). And Snort availble for both Windows and UNIX (Linux).

Right, Snort is what I'm planning on using, I just don't know how to make it actually work properly on a switched network. I'd be running it on a Linux box, my issue is on where to position the IDS to make sure it actually gets a chance to sniff all the traffic incoming to the network.

JDMurray

Drakonblayde wrote:

Right, Snort is what I'm planning on using, I just don't know how to make it actually work properly on a switched network.

You'd put it on a box that is a bottleneck into your switched network. This'd be the same place you'd put a fiirewall, but the IDS machine should be outside of any firewall.

/usr

Drakon, check out that link I gave you.

You may have to down your Cisco router for a bit, but it may be worth it, as you could probably set up Snort on the machine as well.

Drakonblayde

jdmurray wrote:

Drakonblayde wrote:

Right, Snort is what I'm planning on using, I just don't know how to make it actually work properly on a switched network.

You'd put it on a box that is a bottleneck into your switched network. This'd be the same place you'd put a fiirewall, but the IDS machine should be outside of any firewall.

And that's kind of where I'm screwed. It's a cable modem connected to a Cisco router, the switch is hooked directly into the router. So the bottleneck is at my router (which is also my firewall). So I can't really put an IDS between the cable modem and the router (at least, I don't *think* I can). So my options are basically replace the router with the Linux box and let it do my firewalling and routing as well as my packet sniffing, or deploy an IDS on each host reachable from the outside so that it can sniff any suspicious traffic coming into them.

/usr

You can't setup the Linux box with two NIC's, plug one into the switch and one into the router, then set it up to merely forward EVERYTHING it sees?

Drakonblayde

/usr wrote:

Drakon, check out that link I gave you.

You may have to down your Cisco router for a bit, but it may be worth it, as you could probably set up Snort on the machine as well.

Yeah, I took a look at it, and I've done that sort of setup before... it's pretty easy to turn a Linux box into a router. But with the money I paid for my 2621, I'd rather not relegate it to a junk pile hehe

Drakonblayde

/usr wrote:

You can't setup the Linux box with two NIC's, plug one into the switch and one into the router, then set it up to merely forward EVERYTHING it sees?

See, I dunno if that's possible. If I did that, I'd have two NIC's on the same machine in the same subnet. That'd be the best possible solution, but I just don't know enough about Linux to know if it's even possible to setup a box to take traffic from one NIC and forward it out the other (I guess I want to turn my Linux box into a repeater hehe) while giving snort a chance to sniff the traffic at the same time

JDMurray

Drakonblayde wrote:

but I just don't know enough about Linux to know if it's even possible to setup a box to take traffic from one NIC and forward it out the other

This is exactly what you do. You are creating a dedicated network security appliance using a Linux box as a network gateway. All your other routers, switches, etc., stay as they are.

My very first firewall/gateway was a RedHat 6.0 box that ran masquarade and ip chains between two NICs. I had a hub on one NIC for my internal LAN and the my DSL modem in the other NIC. The only other thing this Linux box did was traffic logging and some simple IDS.

/usr

I'm sure it's possible. You would probably have a similar setup as if you were turning it into a router, but without the computation the box would perform if it were a router. If you run snort on the same machine, just pull packets from the incoming NIC and you should be fine.

However, how are you going to break into your network from the outside?

Drakonblayde

jdmurray wrote:

Drakonblayde wrote:

but I just don't know enough about Linux to know if it's even possible to setup a box to take traffic from one NIC and forward it out the other

This is exactly what you do. You are creating a dedicated network security appliance using a Linux box as a network gateway. All your other routers, switches, etc., stay as they are.

My very first firewall/gateway was a RedHat 6.0 box that ran masquarade and ip chains between two NICs. I had a hub on one NIC for my internal LAN and the my DSL modem in the other NIC. The only other thing this Linux box did was traffic logging and some simple IDS.

Ok, so I just configure both NIC's with IP's in the same subnet and turn on ipv4 forwarding? Or is it more complicated then that?

However, how are you going to break into your network from the outside?

I have alot of freetime at work

JDMurray

/usr wrote:

However, how are you going to break into your network from the outside?

I run security scans of my home network from my machine at work. You can also request security scans from some web sites that provide the service free of charge:

http://www.grc.com/
http://scan.sygate.com/
http://www.dslreports.com/scan

Drakonblayde

Well, for those playing along with the home game...

Ok, so it basically looks like I need to set my Linux box up as an ethernet bridge to make it a transparent part of the network. Just in case anyone else is interested in doing the same thing I am, here are the instructions I've found for setting Linux up as a bridge instead of a router.

Now, the fun part is going to be figuring out if I can somehow get that box to send me an email alert when snort finds something since the interfaces apparently aren't supposed to have IP Addresses

JDMurray

Actually, you are making a layer-3 gateway and not a layer-2 bridge.

Snort will send you emails as incidents are detected or as periodic reports. You can also have Snort send the reports to a syslog server and have syslog send the emails.

And each interface on the gateway will have an IP address. Only specialized NIDS that are controlled via out-of-band management (e.g., a serial port) can operate on a IP network without a layer-3 address.

Of course, the Linux gateway will need its own protection from attacks, just as any host in a DMZ should be so hardened.

Drakonblayde

jdmurray wrote:

Actually, you are making a layer-3 gateway and not a layer-2 bridge.

Snort will send you emails as incidents are detected or as periodic reports. You can also have Snort send the reports to a syslog server and have syslog send the emails.

And each interface on the gateway will have an IP address. Only specialized NIDS that are controlled via out-of-band management (e.g., a serial port) can operate on a IP network without a layer-3 address.

Of course, the Linux gateway will need its own protection from attacks, just as any host in a DMZ should be so hardened.

Hrm, apparently the new versions of the bridging software will let me assign an IP to the virtual bridge interface, basically turning it into a managed switch, which I'm a whole lot more comfortable with. If I drop the NIC's in promiscous mode and set the bridge up with it's own IP, would that work? Or does snort require an ip on the actual interfaces?

And if I set it up as a gateway, is assigning IP's to the NIC's and enabling IP forwarding enough?

JDMurray

Drakonblayde wrote:

If I drop the NIC's in promiscous mode and set the bridge up with it's own IP, would that work? Or does snort require an ip on the actual interfaces?

Hmmm...good question. I am not familer with the Linux version of Snort. I assume snort under Linux needs IP address(es) just like it does under Windows. Check in the docs on snort.org.

Drakonblayde wrote:

And if I set it up as a gateway, is assigning IP's to the NIC's and enabling IP forwarding enough?

Yes, exactly. All a gateway does is statically forward packets from one interface to another and provide some filtering in-between. This is a very common use of Linux boxes.

Drakonblayde

jdmurray wrote:

Drakonblayde wrote:

If I drop the NIC's in promiscous mode and set the bridge up with it's own IP, would that work? Or does snort require an ip on the actual interfaces?

Hmmm...good question. I am not familer with the Linux version of Snort. I assume snort under Linux needs IP address(es) just like it does under Windows. Check in the docs on snort.org.

Drakonblayde wrote:

And if I set it up as a gateway, is assigning IP's to the NIC's and enabling IP forwarding enough?

Yes, exactly. All a gateway does is statically forward packets from one interface to another and provide some filtering in-between. This is a very common use of Linux boxes.

Well hell, I'll do it that way then, alot easier than configuring a bridge hehe

JDMurray

The only part I'm not sure how to do under Linux is insert Snort between the two interfaces. There must be a HOW-TO on snort.org that explains this configuration.

When you get it all working, please post the details of your configuration here. I'm thinking about throwing together a Slackware Linux system to do the same thing.

Drakonblayde

Well I brought the system to work with me, download redhat iso's now, hopefully the install plays nice. Probably won't have it working until tomorrow though, forgot to bring the second NIC to insert into the machine

rossonieri#1

there are kind of firewall/IDS/IDP mode :
- transparent bridging : where you have 2 NIC with no IPs and the appliance will be work in sniffing/IDS mode ( just to catch what kind of traffic running in your net and trigger the alarm)
- bridging : basic 2 or more NIC with same subnet and do just the same with transparent bridging.
- routing : where 2 NIC with 2 IP probably just basic firewall with NAT/gateway mode.
- proxy arp : PAT mode.
very depend on where you get the information of setting up your IDP/IDS/FW.

and about deep inspection/stateful firewall is a term to define the capabilty of the device to work/examines traffic in what layer :
- transparent bridging/bridging work in layer 1-2
- routing in layer 3-4
- proxy arp can work in layer 4 to 7 to determine the pattern of the traffic passing the device.

lspahn

jdmurray wrote:

The only part I'm not sure how to do under Linux is insert Snort between the two interfaces. There must be a HOW-TO on snort.org that explains this configuration.
.

Im not to sure what kind of switch you are using, but if you put the port in monitor mode it should show you all the traffic associated with the network. I have some success using a Cisco 3500 and a Single Windows Box running snort with a Gigabit card to avoid bottlenecking.

Good Luck

JDMurray

Not a proper switch appliance. I was referring to using a Linux box as a network gateway and having Snort sniff the packets routed between two (or more) NICs in the box.

rossonieri#1

lspahn wrote:

Im not to sure what kind of switch you are using, but if you put the port in monitor mode it should show you all the traffic associated with the network. I have some success using a Cisco 3500 and a Single Windows Box running snort with a Gigabit card to avoid bottlenecking.

Good Luck

what cause you a bottleneck when your box only monitor traffic/sniffing mode?

i agree with jdmurray - to use 2 or more NIC in gateway mode to process the traffic instead only examine what is passing thru the net.