Originally Posted by ninjaz
How would I got about setting up an IP bridge? Would I just setup eth0 for dhcp coming from my ISP and then set eth1 with a statically set IP? After that Im not sure on what to do. Would I be double NAT'ing? I know about setting up Snort/BASE that was the easy part :-)
i don't really know a lot about bridges... in fact, after having gone over some docs just now, i'm having doubts about whether it would work as a first hop from the Internet, since they work with hardware addresses (not IP) and packets coming from the Internet don't have that... so it sounds like it might indeed have to go behind the router anyways... here's a couple links:
with a bridge you wouldn't be double-NATing... the packets coming out of one side of the bride would be exactly the same as the ones going in unless you decide to change them somehow... as you can imagine, this is one reason why bridges are good for sniffing traffic... another reason is the plug-and-play factor of course...
OTOH, by using the linux box as a NAT/IDS behind your Cisco (or vice-versa), then that *would* be double-NATing (nothing particularly wrong with that BTW)...
i am obviously no expert, but i think one of these two options might be your best bet (considering you want to use both
your Linux and your Cisco):
1- BRIDGE: Cisco NAT with Linux Bridge/IDS behind it (LAN side).
2- DOUBLE-NAT: Linux NAT/IDS (First hop from WAN) and Cisco NAT (Second hop from WAN).
i kinda like #2 cuz it lets you inspect the traffic before handing it over to the Cisco... this would allow you to do more thorough analysis of intrusion attempts IMHO...
PS: another thing you could do is use only the Linux box for NAT/IDS, which would allow you to use the Cisco router somewhere else... then again, this might not be an option for you...