[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Gerado,

If you have a Linux box to put at the gateway to your local
network or the resources that you wish to protect, then the following
document is quite helpful in locking down your system to prevent
intrusion problems:

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri

Depending upon the traffic, a small pentium or even a 486-50 or
66 with 16 meg ram would do as the gateway/firewall platform.
As will be suggested in much of the documentation you will read,
don't run much on the firewall machine.  The fewer services that
you run, the fewer opportunities there are to breach security.
Just let this machine allow/deny packets and translate addresses
for you (i.e., do masquerading).  

You will need to add two network interface cards to the machine
- one connected to the outside network, one connected to the network
with resources you wish to protect.  There are "HOW-TO" documents
that cover the configuration of the cards, how to build the 
Linux kernel properly, etc.  These documents are also included
in all of the commercial distributions of Linux as well (i.e., on 
their cdroms).

I would also recommend that you get a copy of "Building Internet
Firewalls" by Chapman and Zwicky (O'Reilly Press).  It offers 
a great deal of information about how firewalls are set up as well
as the firewall rules one would use to configure a given protocol.
These are expressed in a generic way that you will have to map
to the firewall software that you use.  If you use the Linux/ipfwadm
solution recommended in the TrinityOS.wri link above, much of this
is already done for you (see Chapter 10 especially).  Do the masquerading, 
too, that is discussed.

I would also recommend that you install a copy of Tripwire 
or similar software.  If properly configured, with your generated checksum
file and tripwire program on a readonly medium such as a floppy disk, you 
will have no problem knowing if your firewall and its configuration are
failing.
A script like the following put on your floppy with the Tripwire program
can be scheduled (added to crontab):

	#
	#       daily job - run tripwire, mailing results to
	#       gsoto
	#
	TIME_STAMP="Tripwire Daily - `date`"
	/fd0/usr/sbin/tripwire | mail -s "${TIME_STAMP}" gsoto@compu-redes.net.mx 


Check out the system monitoring section found at 
http://www.cs.purdue.edu/coast/firewalls/ about where to get Tripwire

Note that the above recommedations are for systems that are physically 
secure.  If your problem is your co-workers or others who have 
access to your machine from within your location, then the above will 
not be particularly helpful.  You must lock your machine up physically
(or feel comfortable that no one is changing it at the console) first.

Needless to say, there are a lot of different ways to do this security 
stuff.  Check the purdue.edu link above for other ways, other tools.  
The main thing here is to become a student of the issue.  Follow the links.
See what others do.  Read. In a month or two you will be reasonably able to
deal with most situations.   

Good luck.


At 02:30 PM 5/23/99 +0000, you wrote:
>FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
>IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
>HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
>NOTE: You MUST remove this line from reply messages as it will be filtered.
>SPAM: DO NOT send unsolicted mail to this list.
>USUB: email "unsubscribe ids" to majordomo@uow.edu.au
>---------------------------------------------------------------------------
>
>Hi this Gerardo again:
>	At the time of this email O am recovering from Yet ANOTHER
>INTRUSION. Would anyone of you help me out in reconfiguring my firewall.
>Because obviously is not working as it shoud.
>T would appreciate any help.
>	REGARDS!!!!!On
>> ~ 
>> ~ Exactly.
>> ~ A better option is logging to a line printer.
>> ~ If you have a few trees to spare that is :)
>> ~ 
>> 
>>  I don't remember where I heard this being suggested: but one solution is to
>> connect another `logging' box via serial cable to your system (which
>> shouldn't be connected elsewehere), and throw all logs there via one-way
>> serial line. Thus the attacker would be able to clean up logs, if he gets
>> physical access to your logging machine. Should be cheaper than generating
>> hardcopy of all logs, right?:)
>> 
>
>***************************************************************************
****
>Ing. Gerardo Soto Casados
>Compu-Redes
>Labastida # 37 Esq. Tijuana
>San Martin Texmelucan Puebla
>Tel. y Fax (91248) 45-888
>e-mail: gsoto@compu-redes.net.mx
>http://www.compu-redes.net.mx
>***************************************************************************
****
>