Question on a security package on linux
I want to implement a new firewall, detection system on my network composed of some 200 computers as follows: The fire wall would be a linux box with router, L7 iptable and also snort as IDPS system. These are my questions:
1. Is there any security consideration regarding putting all of these packages on the same server , that is to say that should I inevitably put IDPS and FW on two different linux boxes or they can all be put together on one linux box.
2. Is there any package that contains L7 iptables with snort or any other equally strong IDPS using GUI environment for manipulation and configurations?
3. Is there any other package at all that might have the same functionality; i.e., L7 filter and an IDPS with graphic user interface?
Also I have a question on snort : Is it possible to have control on the size of uploaded files and not only tcp packets from my internal network to internet by L7 filter or Snort or any other software? If this can be done , then I will be able to prevent leakage of data from my internal network by malwares to malicious servers.
These are excellent questions. In short, Snort can be resource intensive and for 200+ machines that can be a lot of traffic. You may need a moderately powered machine for this. My experience with it has been on a much smaller scale, so I can't give you a first hand take on the requirements.
I read an article, here, that discusses the advantages of putting Snort on a machine with a 'hidden' NIC. The NIC does not get configured with an IP address, etc, which works fine since it is purely a sniffing device that is in promiscuous mode. By making it a non configured interface, it is harder for an intruder to attack it, unless they get at the machine running snort. A really good way to do this is to create a span port on your switch that monitors the traffic, but up and down stream on the other ports.
Aside from the above, where it could be advantageous to have the Snort machine running in stealth, I can't see any reason to not put the firewall and snort on the same machine. You will want to put snort behind your firewall, if at all possible, which will reduce the traffic and show you what is making it through the firewall rather than all of the traffic.
As far as an interface, there are several web GUI applications for the firewall. Similarly, there is a php application called Base for the snort. I am not aware of a native gui application for these as quite often these will be run on a server that does not have a GUI. The basic command line interface for these is not complicated and is the only way to go to really unleash the power of these applications.
|All times are GMT -5. The time now is 03:45 AM.|