Since ASL is basically a linux, you can do almost anything (if you put enough work into it). But it is highly discouraged to put an Intrusion Detection System on your firewall. Reasons: Security, Security and Security [:)]
Hi Andreas, please explain some of the potential security problems/violations one can expect by putting an IDS onto a firewall. I am new to security concepts and would like to know more. thanks.
Hi Andreas, please explain some of the potential security problems/violations one can expect by putting an IDS onto a firewall. I am new to security concepts and would like to know more. thanks.
I asked this same question and was told that Astaro is a firewall not an IDS. "Due to the nature of an IDS you do not want it running on your firewall." I'm just going to build an IDS machine using Snort, MySQL, and ACID. I'm told that you should use Snort v1.9.1. Other than that, I'm a newbie to IDSs as well.
I was actually testing SMOOTHWALL out and one of the features that I found missing in Astaro was the IDS.
I think a number of other firewall boxes also come with SNORT enabled.
Nonetheless, I see the arguement against having SNORT on the same box, but it sure would be nice to have that as an option just like the SMTP relay Cheers
[size="1"][ 02 December 2002, 23:46: Message edited by: mattan ][/size]
I would have thought that Snort IDS is more suited to a firewall appliance than an SMTP relay. Perhaps I'm wrong but an inline Snort installation (ala Hogwash) shouldn't be any big deal. Snort, MySQL, and something like ACID could even be used through the WebAdmin. Astaro already has an SMTP engine for notification e-mails, it could be configured to send a notification when a certain rule is matched "X" number of times. Like any of the other services it could just be shut off for security reasons. I'm sure the purists will say that a firewall is an Intrusion PREVENTION system not Detection but the same could be said for DHCPd, SMTP Relay, HTTP Proxy, etc... I'm still building a machine for Snort to all by itself but I'd like to see it in Astaro. Version 4.x beta? Maybe?
For your IDS to be truly effective you would want it on a seperate machine with a receive only interface. Typically an IDS would be placed on the outside of your network parallel to the firewall and also a seperate IDS on the inside or "green" network to inspect all packets coming in for harmful intrusion. There are some good docs over at snort.org on how and where to place your IDS. Hope this helps.
