Intrusion Detection Systems (IDSs) are an important part of any network. One free, open-source tool for implementing an IDS on networks is Snort. (If you're unfamiliar with IDSs, see Jason Harper, "Protect Your Network from Intrusion" and "Deploy Your Network IDS Effectively," http://www
.secadministrator.com, InstantDoc ID 24650 and InstantDoc ID 25013, respectively.) To build a Snort server in a Windows 2000 environment, you need to install and secure Win2K Server, install Snort and its companion files, and test Snort's various modes.
Installing and Securing Win2K Server
To build a Snort server, you first need to secure the server's OS so that the OS doesn't become a victim of intruders' attacks. In IDSs, the OS typically resides outside a firewall's protection, so the OS needs to be both secure and invisible to intruders' probes. (Some administrators use two NICs to dual-home the Snort server, then connect the server to a port-mirrored switch or hub to transmit only. However, I think that having a system that's completely isolated from the main network is best. That way, the system can stand on its own outside a firewall.) Because Microsoft designed Win2K Server to be a platform on which applications run, the default setup creates an environment that maximizes the system's ability to offer services to the rest of the network. The security administrator's ultimate goal is to turn Win2K on the Snort server into an OS that's undetectable by attackers—a stealthy OS. . . .
Register
