LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-27-2010, 03:56 AM   #1
ahmedkamel1355
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Rep: Reputation: 0
Question on a security package on linux


Hi everyone,
I want to implement a new firewall, detection system on my network composed of some 200 computers as follows: The fire wall would be a linux box with router, L7 iptable and also snort as IDPS system. These are my questions:
1. Is there any security consideration regarding putting all of these packages on the same server , that is to say that should I inevitably put IDPS and FW on two different linux boxes or they can all be put together on one linux box.
2. Is there any package that contains L7 iptables with snort or any other equally strong IDPS using GUI environment for manipulation and configurations?
3. Is there any other package at all that might have the same functionality; i.e., L7 filter and an IDPS with graphic user interface?
Also I have a question on snort : Is it possible to have control on the size of uploaded files and not only tcp packets from my internal network to internet by L7 filter or Snort or any other software? If this can be done , then I will be able to prevent leakage of data from my internal network by malwares to malicious servers.
Thanks.
 
Old 11-27-2010, 05:42 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
These are excellent questions. In short, Snort can be resource intensive and for 200+ machines that can be a lot of traffic. You may need a moderately powered machine for this. My experience with it has been on a much smaller scale, so I can't give you a first hand take on the requirements.

I read an article, here, that discusses the advantages of putting Snort on a machine with a 'hidden' NIC. The NIC does not get configured with an IP address, etc, which works fine since it is purely a sniffing device that is in promiscuous mode. By making it a non configured interface, it is harder for an intruder to attack it, unless they get at the machine running snort. A really good way to do this is to create a span port on your switch that monitors the traffic, but up and down stream on the other ports.

Aside from the above, where it could be advantageous to have the Snort machine running in stealth, I can't see any reason to not put the firewall and snort on the same machine. You will want to put snort behind your firewall, if at all possible, which will reduce the traffic and show you what is making it through the firewall rather than all of the traffic.

As far as an interface, there are several web GUI applications for the firewall. Similarly, there is a php application called Base for the snort. I am not aware of a native gui application for these as quite often these will be run on a server that does not have a GUI. The basic command line interface for these is not complicated and is the only way to go to really unleash the power of these applications.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question on Debian security advisories and package versions rps63ifid Debian 4 05-18-2007 06:27 AM


All times are GMT -5. The time now is 12:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration