See comments inline... may not answer all of them but will give my $.02 where I can....
shawn pakkit at codepiranha dot org On Fri, 30 May 2003, Petty, Robert wrote: > Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x? Personally, I would go with 2.4.x... A vulnerability could pop up anywhere that you'll have to patch so you might as well go with the latest. > > Should snort be running on the firewall machine or another machine? If on > another machine, should I put the firewall and IDS box on a hub as the first > hop so they both see the same traffic? The customer's router is not > manageable (linksys) and they have no budget for a Cisco Router or PIX. Depends on the speed of your uplink and what kind of box will be the firewall I would think... If you can separate them, why not? Also, I would go with a switch instead of a hub... and then put the snort box on the monitor port of the switch, no IP for one NIC in the snort box and the other connected to a private net logging to a db that only has a private interface... > Should SSH go to the firewall machine or be passed through to an internal > Linux box? Well... I could go either way on this... but as long as it is restricted to your IP, it shouldn't be a problem on either box... though some may disagree. > Should the NAT and Firewall rules be written and maintained on CD-R media so > a malicious attacker cannot hide rule changes? Should the firewall be > re-initialized on a schedule to ensure the live rules are those from the > read-only media? That's not a bad idea... I have never tried it so I don't know what problems you may run into. > > Last, but not least, what's a good HowTo that can be used as a basis? I > would prefer one that starts off a little more strict so I can simplify > rather than have to bone up on all of the current vulnerabilities. There are a couple of different subject areas you are asking about so I don't know of any one place where you can find all this info.. I would check out both snort.org and netfilter.org for docs on snort and iptables respectively... > Thanks for any replies! You are very welcome... I hope I was able to help...
