By James Turnbull
In the first installment of setting up the open source IDS sensor Snort on Red Hat Enterprise Linux 5, we looked at why a customer would want to use
Snort and saw that Snort is among the most popular IDS tools for SMBs. In this installment, we note that you first must make sure your customer's hardware is up to the job before you can configure the IDS sensor Snort on a network running Red Hat Enterprise Linux 5. In the next step, we'll look at Snort's installation prerequisites.
First, you're going to need to ensure the hardware you are using for your sensor is sufficient to perform the required detection. IDS sensing can be memory-, processor- and disk space-intensive depending on the volume of traffic flowing through it. For a high-volume environment, you should make use of a fast processor (or processors), lots of memory and sufficient disk space to store whatever period of alerts and logs your environment requires. You will also need to ensure that you have a sufficiently sized network card and enough interfaces. I recommend at least two interfaces, one for sensing and another for management. You can also have Snort monitor on multiple interfaces on your sensors, but I recommend keeping a dedicated management port.
Secondly, you need to deploy your Snort sensor at a point where it can see the traffic you want to monitor. The best places to deploy sensors are network choke points, like an area located between your perimeter and core network or monitoring externally-facing DMZs. Traffic monitoring can be done by using a SPAN session on a switch, or via Ethernet or fibre tabs that are inserted into links and replicates traffic on those links to your sensor. SPAN mirrors traffic on one or more ports on a switch to another port.
Next, your IDS sensor needs to be secure. This minimizes the risk that your sensor could be used by an attacker to compromise your network. When you install Red Hat, make sure that you carefully harden the sensor, including installing a firewall. You should only install the minimum number of packages and remove unnecessary users and services. If you intend to deploy a number of sensors, then a dedicated Kickstart build is a good approach. There are also a variety of good hardening guides are available for Red Hat and, more generically, Linux hosts. You should make use of one of these guides. You should also make certain that you regularly update and patch your sensor to ensure any potential vulnerabilities are addressed.
Intrusion detection with Snort on Red Hat Enterprise Linux 5
Introduction to network intrusion detection and prevention using Snort
Snort hardware and network setup requirements
Snort's installation prerequisites
Compiling Snort and configuration with MySQL
Configuring Snort and setting up rules
Editing the snort.conf file
About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.
This was first published in July 2007