Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I posted a thread on this topic.... But I could not get the satisfactory answer... and the discussion too routed to wrong side.....
So again I am asking some of the questions which make me worry..... This time I am going more lucidly and simply.......
(1) Why IPS is needed iff firewall is already there to prevent attacks.....
Some may say that firewall dont check over Transport layer..... which IPS do....
But todays firewall are much more sophosticated and they check till 7 th and last application layer.... This is called Deep Packet Investigation....
So why is there need to deploy firewall???
This is my most annoying question.....
Humbly saying, I will ask more questions only when I get satisfactory answers.... because discussion gets diverted when too many questions are there.........
The role of an IPS in a network is often confused with access control and application-layer firewalls. There are some notable differences in these technologies. While all share similarities, how they approach network or system security is fundamentally different.
An IPS is typically designed to operate completely invisibly on a network. IPS products do not typically claim an IP address on the protected network but may respond directly to any traffic in a variety of ways. (Common IPS responses include dropping packets, reseting connections, generating alerts, and even quarantining intruders.) While some IPS products have the ability to implement firewall rules, this is often a mere convenience and not a core function of the product. Moreover, IPS technology offers deeper insight into network operations providing information on overly active hosts, bad logons, inappropriate content and many other network and application layer functions.
Application firewalls are a very different type of technology. An application firewall uses proxies to perform firewall access control for network and application-layer traffic. Some application-layer firewalls have the ability to do some IPS-like functions, such as enforcing RFC specifications on network traffic. Also, some application layer firewalls have also integrated IPS-style signatures into their products to provide real-time analysis and blocking of traffic. Application firewalls do have IP addresses on their ports and are directly addressable. Moreover, they use full proxy features to decode and reassemble packets. Not all IPS perform full proxy-like processing. Also, application-layer firewalls tend to focus on firewall capabilities, with IPS capabilities as add-on. While there are numerous similarities between the two technologies, they are not identical and are not interchangeable.
Thanks sundialsvcs, I wanna ask now my another question.......
(2) Iff I am deploying both- Firewall (By IPTABLES) and IPS (By SNORT) than where should I deploy it???.........I mean weather I put IPS before Firewall or after Firewall???
Thanks sundialsvcs, I wanna ask now my another question.......
(2) Iff I am deploying both- Firewall (By IPTABLES) and IPS (By SNORT) than where should I deploy it???.........I mean weather I put IPS before Firewall or after Firewall???
I'd put the FW at the perimeter and the IPS after the firewall. That way the load is scaled and the IPS can focus more on the internal application threats, which is probably the bigger worry (IMO). If you put the IPS before the FW or in place of the FW, you'll have to worry about if the IPS will be overloaded (I've seen it happen).
What IPS are you considering (vendor-wise)? What FWs are you asking about? What are you looking to block/route? How big is the network you're looking to protect? What content are you looking to protect?
Regarding your initial comments, the reason the answers were detailed and possibly confused you is because there is no simple answer. The answers will usually involve details. I'd rather have too much info on security than not enough. You can always pick what answers are pertinent to your needs and work with what you think are the best answers.
But I am using windows and debian as virtual OS... I have configured a virtual IP 192.168.1.9 in it.
and I have blocked the packets coming to my virtual Debian by,
sudo iptables -A INPUT -i eth0 -j DROP
sudo iptables -A OUTPUT -o eth0 -j DROP
and then I started snort by
sudo snort -i eth0 -dv
But I got packet impressions on consoole.....which means that IPS is capturing packets before it reaches to firewall....
So by default IPS is before FW??????????????????????????????????????????????
I'd assumed that the FW and IDS were dedicated machines. I believe that it's going to be difficult (if not impossible) to split FW and IPS duties from one shared machine, unless you buid a virtual machine onto the virtual machine.
I ran into the same issue with Linode. They are my vhost. I run apache and have iptables and snort running on that server. Linode uses UML to provide hosting services. Part of my issue is that the FW and snort have to run on the same interfaces. If you could get dedicated interfaces for routing traffic, you could also dedicate an interface for sniffing/blocking. Unfortunately, Linode only offers one dedicated interface. They do offer IPs, but they alias those IPs to the dedicated interface.
I'm thinking your hosting provider may be the same way. The only way around this (and I may be wrong) is to purchase another account or run another virtual instance.
I posted a thread on this topic.... But I could not get the satisfactory answer... and the discussion too routed to wrong side.....
One of the reasons for that is that you do not seem to know the terminology well enough so that others understand the question that you ask in the way that you apparently want them to.
Quote:
(2) Iff I am deploying both- Firewall (By IPTABLES) and IPS (By SNORT) than where should I deploy it???
Firstly note that snort is better known as and IDS than an IPS; although there is one mode in which snort can act as an IPS, this is not, traditionally, the mode in which it has been most used.
So, assuming that we are talking about the right mode of snort, note
Quote:
It receives packets sent from the Netfilter firewal
He wants Snort's IPS functionality, which would make it an IPS (Sourcefire actually markets their IPS solution as an official IPS), but to argue this would risk confusing him and taking the thread on a tangent.
I think that the original OP is confusing the host firewall with the perimeter firewall, and even putting snort inside the host instead of between the firewall and the LAN switch.
I am talking about perimeter firewall...... Especially concerning UTM machine...... Means suppose that I have my private network and I am using UTM (Unified Threat Module) machine which contains Firewall with Deep packet Investigation feature and an IPS too......and lot more other tools like proxy server, anti virus, anti spyware etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.