Skip to main content

Sonicwall / IDS

More
20 years 3 months ago #4869 by sjk
Sonicwall / IDS was created by sjk
Hi Sahir,

I just wanted to know your review on sonicwall Pro3060 & 4060 if they are capable of application layer filtering and how good they are.

We are planning to have a data center setup which would have web server with load balancer and database server's with clustering. I am planning to use sonicwall either of the above model as compared to cisco or checkpoint mainly due to the price.

Also I would need to have IDS in place. So would it be helpful to configure linux with snort and have it on different locations and install the free tripwire on the server for host detection or should I go for Real Secure ?

Our office would be connected to this datacenter thru VPN tunnel ie by site-to-site VPN and there would be some of our remote office users connecting thru VPN client's so would RSA security be better for authentication and real time logging.

What I am looking for is a complete security( packet level, Application level, IDS) keeping cost in mind.

Please let me know your views.

Regards,
Satish
More
20 years 3 months ago #4880 by sahirh
Replied by sahirh on topic Re: Sonicwall / IDS
I am not personally familiar with the sonicwall firewalls, but from what I know they do provide content filtering, which should mean they are application layer aware.. these days most firewalls are. As far as your intrusion detection system goes, snort is good if you know how to do it, and if it is regularly monitored / updated. Check out SGUIL which makes handling snort much easier. Realsecure is good, very good, but it is expensive as compared to snort (obviously). If you are interested in it, you can get in touch with the company I'm working for as they do the installations etc.

Host based IDS, tripwire is good.. realsecure has HIDS integrated as well... so you can consider that.

Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 3 months ago #4887 by sjk
Replied by sjk on topic Re: Sonicwall / IDS
Thanks for the reply. I have not used snort that much just installed it recently. Is SGUIL better than ACID & AANVAL in configuration and realtime stats.

Also I just wanted to know the difference between snort with a GUI and iptables configured for syslog/log analyzer :
Snort gives us the report or real time stats as to what is going in & out - is this similar to a situation where we have a iptables firewall and it is syslogged to a KIWI dameon or passed on to a log analyzer and it shows realtime traffic flow on the basis of the rule but with the ACID /AANVAL GUI of snort it gives us detailed report on the basis of tcp/udp/any protocols and other reports.
Is there any other difference other than what I have mentioned ?
I do not know that much abt snort thats why this question. I know it is a IDS but what exactly would snort do other than what I have mentioned above.

Also to implement snort I will have to use swicthes with TAPS right instead of hubs ?

Please let me know

Thanks.
More
20 years 3 months ago #4889 by sahirh
Replied by sahirh on topic Re: Sonicwall / IDS
Snort is an IDS, it has a signature database to detect attacks, iptables is a firewall, so they are completely different. SGUIL is alot better than ACID, it is designed for intrusion analysts and features realtime stats, and an interface that is very conducive to analysis. Be aware that managing an IDS is not just about installing it once and then letting it work, you need to understand the alerts that are being generated and act on them.

As far as IDS placement is concerned, you need to put it in a place where it sees the traffic for the segment you wish to protect, a network tap is a good (but expensive) idea, you might consider placing a hub along the segment path and plugging the IDS in there.. Make sure you prevent the IDS from transmitting any data of its own
(ifconfig eth0 -arp).

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 3 months ago #4901 by sjk
Replied by sjk on topic Re: Sonicwall / IDS
How is winsnort as compared to snort on linux. which one would u recommend to use.

Also regarding the placement, I will have to place the hub on the main switch which has the network which I wish to protect and connect the IDS to that hub right ? Will the hub be able to see traffic on the switch ?
Please let me know if I have understood it right.

Regards,
Satish
More
20 years 3 months ago #4907 by sahirh
Replied by sahirh on topic Re: Sonicwall / IDS
I do not recommend running snort on windows. The problem comes mainly from Microsofts wierd approach to packet capture which ends up with you requiring winpcap or similar packet capture drivers.

As far as the placement goes, you need to make sure that this box can see the traffic it needs to protect. If the traffic is flowing out of just one port.. say to a border router etc.. then your

[code:1]
switch --> hub ---> router
|
IDS
[/code:1]

config will work. However in most cases you will want to monitor traffic flowing to multiple ports. Check whether your switch has a span port (also known as port mirroring or a monitor port) which allows you to send traffic from multiple ports to one port.

Make sure that the traffic load is not too high for the box to handle, otherwise it will start dropping packets and missing traffic.

Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.139 seconds