IDS/IPS LAN Layout Advice

Soldato
Joined
7 Apr 2004
Posts
4,212
Hi,

Thought i would put this here rather than networking, but I need to have a play around with Snort and learn the basics of it but im not sure how it would be best implemented on my LAN, or if its even at all possible given my setup.

Current setup is (apologies for lame diagram):
lanet5.jpg


Now the lower nodes 1,2,3 are not my machines (student house :p) so i cant filter them through an IDS.

However is it possible for me to make a virtual host coming off the second switch which will run Snort so it will filter nodes 4 and 5? Im not sure if this is even possible I assume i would have to set squid proxy up on it or something and channel all traffic to and from the router through it?

Secondly if this isn't possible how is snort usually implemented in a LAN? does it go router(inc modem) -> IDS -> nodes? so the IDS box kind of acts as a secondary router?

Thanks for any advice,
Jack
 
If that router/switch/modem is moddable, e.g. a Linksys WRT54GL, then you can put Snort directly on it and have IDS coverage for the entire network.

You can replace the second switch with a router and put snort on that.

You can have any of node 4,5,6 intercept the traffic and filter it. But what if you have node 6 as the filter and someone tries to send traffic directly to node 4 or 5? The switch will just let it through. Unless you set up firewalls on nodes 4 and 5 to only accept traffic from node 6?

You don't need a squid proxy, iptables can handle all the routing.
 
Back
Top Bottom