Netwrk Intrusin Detectin Best f Breed Prtectin with SNORT Implementing Snrt Snrt can be readily implemented with the help f a special Linux distributin named Sentinix (http://www.sentinix.rg). Wait a minute, yu ask, Linux? Isn t that cmplicated? All my systems are Micrsft! The shrt answer yes. Snrt shuld indeed be implemented using Linux. The Sentinix distributin makes this an easy and painless prcess much easier than cnfiguring a Windws server and installing Snrt. Snrt sensrs shuld be viewed as appliances (like a ruter r a UPS) and as such, d nt need t integrate with yur server infrastructure. In fact, yu prbably have ther netwrk appliances running n sme versin f Linux. One last cnsideratin is if yur intrusin detectin system is n the same platfrm as the rest f yur systems, it may becme cmprmised alng with yur ther systems in the event f a successful intrusin. Abut Sentinix Sentinix is a special-purpse distributin f Linux that cntains a precnfigured envirnment fr running Snrt. In additin t Snrt itself, Sentinix includes: SnrtCenter management cnsle ACID intrusin analysis and reprting system Supprting applicatins: Apache, PHP, Perl, Pythn, and MySQL E-mail tls: Pstfix, MailScanner, SpamAssassin Other tls: Nessus, Nagis, Nagat, Cacti, RRDtl And mre Fr small installatins, a single cmputer can mnitr the netwrk and huse the management applicatins (SnrtCenter and ACID). In larger deplyments, yu will prbably want t separate these functins. One cmputer can perfrm the management functins while ther cmputers act as sensrs. Figure 1 shws a typical arrangement f sensrs within a medium sized netwrk. Sentinix is designed t prvide a secure, lightweight envirnment and, therefre, runs nly a minimal set f nrmal Linux services. Memry intensive services such as X-windws and ther unnecessary services such as BIND (DNS server), DHCP server, etc., are nt included with Sentinix. Fr additinal infrmatin, g t http://www.sentinix.rg.
Figure 1 - Placement f Snrt Sensrs Hardware Requirements The hardware requirements fr Sentinix are minimal. A sensr can easily run n a 1Ghz machine with 256MB RAM and a 4GB hard disk. As with any system, mre is better. A machine that is husing the management applicatins will d better with 512MB RAM and a hard disk that can accmmdate the amunt f lg data that yu wish t keep nline. Dwnlading Sentinix Sentinix is supplied as an ISO image that can be burned t a CD-ROM. The current versin f Sentinix is 0.70.5 and can be dwnladed frm ne f the mirrrs listed at http://www.sentinix.rg/dwnlads.shtml. The file yu want t dwnlad is named sentinix-0.70.5.is. Once the file has been dwnladed, burn the image t a CD-ROM. Nte that yu must write the ISO image t a CD-ROM, nt simply cpy the ISO file t a CD-ROM. Mst CD burning prgrams have a cmmand called Burn Image r smething similar that will accmplish this. Installing Sentinix Installing Sentinix is a straightfrward prcess. Use the fllwing steps and screenshts as a guideline. It is pssible that the prcedure will deviate slightly based n yur unique situatin. Nte: These instructins are adapted frm the Sentinix Installatin Guide. 1. Prepare a hst machine fr Sentinix. 2. G int the BIOS and set the clck t the current GMT time.
3. Insert the newly created SENTINIX CD in the CD-ROM drive and bt up. Make sure that the BIOS bts frm the CD-ROM! 4. At the bt prmpt, type plain and press Enter.
5. Once the system has bted frm the CD-ROM, type install and press Enter. 6. The keybard map defaults t U.S. Yu may chse a different map at this pint if necessary, therwise, skip t the next step. 7. Use the arrw keys t highlight Start the Installatin Prcess and press Enter. 8. Partitin yur hard disks by chsing the apprpriate disk and pressing Enter. If n partitin table exists n this disk, yu may see the fllwing screen.
9. If this screen is displayed, type y and press Enter t start with a blank table. 10. If yur hard disk has existing partitins, it is recmmended that yu delete all f the existing partitins: Use the arrw keys t highlight each existing partitin and press D t delete it. 11. Yu will need tw partitins, at a minimum, t get started. One partitin will be a Linux partitin and the ther will be a Linux Swap partitin. Highlight the "Free Space" line and press N fr New. Chse "Primary" (r "Lgical," which wrks fine t).
Make it at least 2GB (type "2000" in the field). Yu need at least 100MB f free space t create the swap partitin later. Chse "Beginning." Press T t select partitin type (if it isn't already f type "Linux"). Type 83 in the "Enter filesystem type:" field. Mve the fcus t "Free Space" and press N again. Chse "Primary." Make it at least 512MB (type "512" in the field). Press T. In the "Enter filesystem type:" field, type "82" (fr Linux Swap). Mve the fcus back t the first "Linux" partitin and press B t mark it "btable." Yur screen shuld lk like the abve screensht.
Press W and type "yes" t write the partitin table. Press Q t quit. 12. Chse "Cntinue t next step" when yu are dne partitining. 13. Chse the partitins that shuld be frmatted and which file system t use. EXT3 is recmmended n all partitins. Chse "Frmat partitins" t start. 14. When frmatting is cmplete, press any key t return t the previus screen. 15. Chse "Dne, g t next step."
16. Yu must nw set the munt pint fr yur newly frmatted vlume(s). At least ne partitin must be munted t / (the rt partitin). Highlight the desired partitin and press Enter. 17. Type the desired munt pint fr this partitin. This example shws the setting fr the rt partitin ( / ). Press Enter.
18. Chse "Install SENTINIX" t start the installatin. This might take anywhere frm 5 minutes t 30 minutes depending n hardware. 19. If all went well, yu shuld nw see a menu titled "SENTINIX Setup Utility." The keybard map defaults t U.S. If yu wuld like t change the default setting, yu may d s at this time. The time zne defaults t GMT. Since we previusly set the BIOS clck t GMT time, it is nt necessary t change the time zne.
20. Use the dwn arrw key t mve t line 3, Cnfigure LILO and press Enter. 21. LILO is the bt lader fr Linux. The defaults shuld be fine fr mst installatins. The nly exceptin which I am aware is lder Cmpaq hardware that had a System Partitin. If yu are using a machine f this type, yu will want t set the bt target t: /dev/hda1 (r /dev/sda1 as shwn abve fr SCSI hardware).
22. Scrll dwn t OK, install LILO and press Enter. 23. LILO is nw installed. Press any key t return t the menu and select 4 t prbe fr netwrk devices.
24. Press Enter t prbe fr Ethernet hardware. 25. Once an apprpriate driver (r drivers) is fund, they will be laded and the fllwing screen will appear.
26. Nte that the detected card(s) are already selected. 27. Scrll dwn t Exit and Save and press Enter t g back t the menu. Yu may skip ptin 5 as the crrect mdules will already be selected. Chse ptin 6 t set yur netwrk parameters.
28. Beginning with ptin 1, chse each ptin and prvide the apprpriate infrmatin. It is nt necessary t prvide tw name servers, althugh it is a gd idea. After setting the name server(s), prceed t the lwer sectin f the screen and set the IP addresses and netmasks fr each Ethernet adapter. 29. Chse Save and Exit t return t the menu. Chse ptin 7 t set up netwrk services. 30. Snrt will be unchecked. Highlight this line and press the space bar t select Snrt. If yu wish, yu can als add Nessus Security Scanner and NTP daemn. 31. Chse OK, I m dne t return t the main menu. 32. By default, the rt passwrd is set t sentinix. Yu may use ptins 8 t reset yur rt passwrd. 33. Select Quit t exit the setup prgram and return t the installatin prgram.
34. Select Rebt the system and press Enter. The CD shuld be ejected. If the CD des nt eject, remve it befre the machine begins bting. Cngratulatins! Yu have just cmpleted the installatin f yur first Snrt IDS. If yu need t recnfigure yur system at any time, lg in as rt and type "setup." Getting Started With Snrt If all went well, yur Snrt system is up and running already detecting errant prbes, prt-scans and wrm prpagatin traffic. T see the status f yur snrt sensr(s), fire up a Web brwser and pint it t yur machine s IP address. Click n the Snrt Center link at the tp f the screen and lg in with the fllwing credentials. Username: admin Passwrd: change SnrtCenter displays a list f all f yur sensrs alng with their status. Frm SnrtCenter, yu can start, stp and recnfigure yur sensrs. Figure 2 shws a typical SnrtCenter cnsle. If yur sensr is highlighted yellw, click n the Start link t start the sensr. Alert data is accessible via the Analysis Cnsle fr Intrusin Databases (ACID), which is integrated int SnrtCenter. Click n Alert Cnsle t g t the ACID summary page (shwn in Figure 3). Detailed alert infrmatin is available via the Snapshts drp-dwn menu. Figure 4 shws a typical page f sensr detail.
Figure 2 - SnrtCenter Cnsle Figure 3 - ACID Summary Page
Figure 4 - Sensr Detail Snapsht Cntinuing On Sentinix prvides a cnvenient platfrm t get a Snrt IDS up and running. It is imprtant t remember, hwever, that an IDS is nt a set-and-frget system. IDSs must be kept up t date and mnitred. In fact, ne f the first things yu shuld d if yu decide t make Snrt part f yur security slutin is update the latest versins f Snrt and Snrt s signatures. Initially, there will be a large number f nuisance alerts. Careful tuning f rules will help reduce the amunt f nise while maintaining the verall integrity f the IDS. Other Resurces A number f resurces are available t help yu create an industrial strength Snrt setup that is custmized fr yur particular business. Snrt 2.1 Intrusin Detectin an excellent text and reference published by Syngress. www.snrt.rg fr the latest sftware, dcumentatin and ther resurces. Snrt GUI fr Lamers (SGUIL) an alternative cnfiguratin interface. Barnyard - alert pst-prcessing fr larger installatins. Surcefire cmmercial supprt.
Sentinix Extras Sentinix includes a number f ther useful tls yu may want t explre. These include: Nagis Server Health Mnitring Nessus Heavy-Duty Security Testing RRDTl, Cacti Perfrmance Graphing