In order to decide where to best place your IDS, you must ask yourself, “Which systems do I wish to protect and from which sources?” It’s good to clarify this point up front—you may find you actually need more than one IDS sensor. You should have a solid security objective in mind before you fill out a purchase request for hardware or software.
One potential deployment is shown in Figure 8.4. In this configuration, both the DMZ and the internal connection of the firewall are being monitored. This allows you to verify all inbound traffic from the Internet. It also allows you to reinforce the existing firewall. Both IDS sensors are running without IP being bound to the public network
There are a few limitations to this configuration, however. First, you will be unable to monitor attack traffic from the Internet that is targeted at the firewall. While your firewall should be capable of logging such activity, you may not have the benefits of raw packet captures, dynamic filter rule manipulation, or any of the other features that an IDS can offer. If your link to the Internet is a T1 or less, and you want to monitor Internet traffic only, you may be better off buying one really good server and running all IDS functions outside the firewall. Since IP will not be needed on this system, it should be safe from attack.
Another limitation of the design in Figure 8.4 is that it does not allow you to monitor any of the unicast traffic generated between internal systems. If your goal is to monitor all network traffic, you may wish to move your internal IDS sensor to its own port on the switch and configure this switch port for monitoring. This would allow you to see all traffic activity inside the firewall.
Figure 8.4: A potential deployment of two IDS sensors
If your goal is to lock down the network as much as possible, you may wish to combine these solutions: placing one IDS sensor outside the firewall and another IDS sensor off a monitoring switch port, and having both sensors communicate with the console through a private subnet. This would allow you to monitor all passing traffic within your network while still maintaining control from a central console.
Once you have selected the areas you wish to monitor, you can select the number of IDS sensors required, as well as the appropriate hardware.
Hardware Requirements
ISS suggests the following minimum hardware requirements for the RealSecure Network Sensor Pentium II 300MHz processor
128MB of RAM 110MB of disk storage At least one PCI network card
The disk storage requirements are probably a bit light. If you will be monitoring a high-traffic area or if you think that you may wish to capture a lot of raw data, plan to expand the amount of disk space accordingly.
ISS suggests the following minimum hardware requirements for the RealSecure console: Pentium II 300MHz processor
100MB of disk storage per sensor
One PCI network card (an additional NIC can be used to create a secure network for communicating with sensors on remote machines)
Tip Again, be generous with disk space. It is better to have too much than not enough. The more disk space available, the longer you will be able to retain your logs. This is important if you want to look at any long-term trends. If you will be running the sensor and the console on the same system, consider increasing the processor requirements to a 400MHz Pentium II and the memory requirements to 192MB.
Installing NT
RealSecure should be run on a Windows NT server that has been dedicated to IDS functions. When installing NT server, observe the following guidelines:
Install all required network cards before loading NT.
Create an NTFS C partition of 800MB, which will hold the NT operating system and swap file.
Create an NTFS D partition of the remaining drive space (200MB minimum) to hold the IDS program files and logs.
Remove all protocols except TCP/IP.
In the Control Panel, open the Services dialog box and disable all services except the Event Log service and the Net Logon service.
Install the 128-bit version of Service Pack 5 (or greater).
At a minimum, install the hotfixes getadmin-fix, ndis-fix, pent-fix, srvr-fix, and teardrop2-fix. Other hotfixes, such as scsi-fix, can be installed as you require.
Under the Performance tab in System Properties, change the Boost to the foreground application to None.
If you are running the server service, go to the Server Properties dialog box and change Optimization to Maximize throughput for network applications.
Once you have followed these guidelines, you are ready to make an emergency recovery disk and install RealSecure.
RealSecure Installation
Installing RealSecure is straightforward. You can download a demo of the various installation files if you contact ISS via e-mail. The demo is simply a copy of the full product that will expire in 15 days. For more information, visit the ISS Web site at
www.iss.net
The first component to install is the RealSecure Workgroup Manager (Console). The self-extracting executable will start by copying some files to a temporary directory and launching the Setup program. If you do not have at least Service Pack 5 installed (Service Pack 6a is preferred), the Setup program will warn you that it is required and terminate execution.
As shown in Figure 8.5, you are first asked to select which portions of the program you wish to install. You can choose to install the console, restore private keys, or export the public keys of the console. Installing either the Network or OS/Server Sensors are separate installation procedures. The latter two options are useful after the IDS software has been installed. These options are provided so that you can manage the encryption keys used by the console and the sensors when they are located on different systems. RealSecure uses a public/private key pair for all communications between the console and the sensor. Once you have made your selection, click Next.
Figure 8.5: The Select Install Options screen of the RealSecure installation
You will then be prompted to choose the destination for the RealSecure files. The default is to place them under the Program Files directory on the C drive. It is strongly recommended that you change this path to D so that all RealSecure files are stored on their own partition. This will help to insure that system functionality is not affected if the log files grow large enough to fill the entire drive. Once you have specified a new path, click Next to continue.
Once you have selected a location for your files, if the system detects that you have not installed the high encryption version of a service pack, it will give you the following message:
After you acknowledge the warning, you will be presented with the Select Cryptographic Setup screen as shown in Figure 8.6. This screen allows you to select a cryptographic services provider (CSP). The CSP is the component responsible for encrypting and decrypting all traffic between the console and the sensors. The Microsoft Base Cryptographic Provider is installed as part of Service Pack 3 or later, so it is available on all patched systems. If you have a third-party CSP installed on the system, that should appear in this window, as well.
Figure 8.6: The Cryptographic Setup screen
You should use the 128-bit version of Service Pack 6a if you wish to use strong encryption. If you have installed the 40-bit version of any Service Pack, you will only be able to use weak encryption. If you select strong encryption with only the 40-bit version of any Service Pack installed, the installation utility will warn you that only weak encryption can be used. Weak encryption is usually sufficient for use behind a firewall. If you will be communicating on a public network, however, you should seriously consider using strong encryption. As with strong authentication, there is a slight performance degradation when you use strong instead of weak encryption. It is far more secure, however.
At this point, the installation utility will prompt you to name the program group and begin installing files to the system. Once this process is complete, you will be presented with the dialog box in Figure 8.7, which offers you the opportunity to archive your private keys, (securing them with a pass-phrase in the process).
Figure 8.7: RealSecure can archive your private keys.
After this screen, the system begins to copy files. Near the end of the copy process, the system will prompt you if it detects that you lack Microsoft’s Data Access Components (MDAC). You can choose to allow the system to install the components (required if you want RealSecure to function properly).
After RealSecure installs the update MDAC (if required), the installation program prompts you to harden security by checking the permission levels set on the Registry keys and directories used by RealSecure. This is done in order to insure that they can only be accessed by the system administrator or an equivalent account.
Note You can only set directory permissions on an NT server if you have partitioned your drives to use NTFS.
Now the installation is complete. You will be prompted to reboot the server so that Registry changes can take effect and the IDS sensor service can start. The sensor starts automatically during system initialization, but the console must be launched from the RealSecure program group. Once the system restarts, copy your ISS.KEY file to the RealSecure program directory.
Configuring RealSecure
To launch the RealSecure console, select the RealSecure icon from within the RealSecure program group. This will produce the screen shown in Figure 8.8. The top of your screen is the RealSecure menu. All functions are available via pull-down menu options or from the toolbar. On the bottom of the screen is the Sensor view. This window displays all sensors that are currently being monitored. An unmonitored sensor will still collect data; it simply cannot report this information back to the console. To select a console to monitor, click Sensor ¾ Monitor Sensor from the Sensor menu.
Figure 8.8: The RealSecure Console screen
Tip In order to see all the information screens, you should use a screen resolution of 800 x 600 or higher.
Selecting Monitor Sensor will produce the Add Sensor dialog box. Use this box to select all the sensors you wish to monitor. If you have installed the console and the OS or Network Sensor on the same computer, you should see an entry for the localhost sensor. If the sensor is on a remote computer, you will need to click Add and fill in the IP address of the IDS sensor. Do this for each sensor on your network. Then highlight each sensor you want and click OK to begin monitoring them.
When the sensor appears on the Sensor View, you can right-click a particular sensor entry to produce a
Maintenance menu. From this menu, select the Properties option in order to configure the specific characteristics of this sensor. If you have selected a Network Sensor, this will produce the Sensor Properties screen shown in Figure 8.9.
Figure 8.9: The Policies tab of the Network Sensor screen
The Policies tab of the Network Sensor Properties screen allows you to customize the type of security policy your IDS will use. You can select the following options: