Building a cheap, powerful intrusion-detection system
- — 28 September, 2007 14:06
Network-based intrusion-detection systems (IDS) are an integral component of a layered IT security strategy. As October is National Cyber Awareness Month, if your overall security system doesn't include network-based intrusion detection, now is an excellent time to consider implementing an IDS package.
Commercial network-based IDS can often be quite expensive. On the other hand, there is the common perception that implementing an open-source IDS is complicated. Recently, I had the opportunity to install an open-source IDS and found the opposite to be true. You can easily build a powerful open source-based IDS in less than a day, as I did.
The object of this article isn't to provide a step-by-step instruction for installing and managing an open-source IDS, because there are plenty of resources available for that. Rather, it's intended to lay the foundation for such. If you have ever considered implementing an open-source IDS but felt lost when researching how to do so, this article is for you.
Snort and BASE
Two packages necessary for creating an effective open-source database are Snort and BASE (Basic Analysis Security Engine). Snort was originally created in 1998 by Martin Roesch as an open-source alternative to commercial IDS packages. BASE is built on the work of the defunct Analysis Console for Intrusion Databases (ACID) project.
As with many open-source applications, Snort is available as source code or as a binary install package for Linux or Windows. BASE, on the other hand, is operating system-independent. Therefore, both may be set up on either a Linux or Windows machine, with a similar amount of effort.
The goal of this article is to demonstrate the ease in creating an IDS using older computers and therefore focuses on building a Snort IDS on a Linux system, but the methods for installing on a Windows system are very similar. Because of how far Linux distributions have progressed, if you have installed Windows, you can install Snort on Linux with little difficulty.
Preparing the system
Deciding on placement of the IDS within the network is critical. The IDS machine must connect to a port that can see all traffic between the LAN and the Internet. This means either connecting to a mirrored switch port or a hub located between the Internet connection and the LAN. If a firewall and only one IDS sensor is used, the sensor should be placed between the firewall and the LAN, for reasons that will be discussed later.
Choosing the type of machine to use is dependent on the environment and the data desired. A Snort IDS setup can involve one or several independent machines, or many that report to a central database server. The faster the connection being monitored and the level of logging dictate the machine capabilities.