Defending Your Home

Previous page
Table of content
Next page

Defending Your Home

I'm going to assume a medium-small (extra medium?) case. Let's assume that you have a home network consisting of multiple PC-type boxes. Some are running Linux, some are running some other operating system. I'll assume you have a dialup ISP using PPP that assigns you a dynamic IP address. I'll further assume that your Linux box does the dialup on demand and that it acts as a simple masquerading firewall, allowing the rest of your PCs to share that one dialup link to the network over an IP Ethernet. [*]

[*] By a remarkable coincidence , this is exactly what my home network looks like. I know, what kind of a geek am I to still be on a dialup link? I blame my wife (sorry, honey!). You see, she's into horses, so we built out in the sticks. I am sitting at the end of the longest analog phone line in my entire county. That's no exaggeration. So no DSL for me. Cable? Hah! If you get enough of your friends to buy this book, maybe I'll lay in an FDDI line.

We're not done making assumptions yet. Let us further assume that the internal network is implemented with a nonrouting IP network address ”in this case, 10.0.0.0 ”and we'll use a netmask of 255.255.255.0, or 24 bits. We'll assume the dialup is implemented on interface ppp0 and the internal network is on eth0. We will assume that simple masquerading is being used, rather than explicit firewall rules, and that there is no DMZ (if these terms are unfamiliar, consider taking a look at the IP-firewalling HOWTO document).

Let us further assume that we will use the predefined Snort rules libraries to set our detector. You will notice that the library makes use of a few variables. The most important of these are $EXTERNAL_NET and $HOME_NET. These variables allow you to specify the network addresses and netmasks of your internal and external networks. Given the assumptions we have made, the best choice would be to set $HOME_NET to 10.0.0.0/24 and $EXTERNAL_NET to !10.0.0.0/24.

The simplest way to make use of the library is to define your own "master" rules file. I frequently see this named snort.conf and located in /etc/snort. Here's what I would put in our snort.conf file: 

# Local snort configuration file, sample for Multitool Linux
# $Id: chapter13.html,v 1.1.1.1 2001/11/02 03:12:25 mschwarz Exp $
 
var HOME_NET [10.0.0.0/24]
 
var EXTERNAL_NET [!10.0.0.0/24]
 
 
include: "/etc/snort/ddos.rules"
 
include: "/etc/snort/scan.rules"
 
include: "/etc/snort/exploit.rules"
 
  There are other variables used in the Snort rules library. Many of these specify the addresses of servers running specific services. Snort will tell you if you include a rules file that has variables you have not yet defined.  
  
  Note that this is for illustration only. I do  not  recommend this particular configuration. Which rule libraries you choose to use should be based on comparing the rulesets against the kind of services you run and the kind of network you have. You should also make some decisions based on whether you want to know about any attempts on your network or only  reports  of attempts that get through.  
 
  One common thing to do (if you have machines to spare) is to set up Snort to detect only the most serious issues "outside" the firewall and to have one set to detect  absolutely  everything inside the firewall. That way, you see only the most dangerous attacks when they are made on the outside, whether or not they succeed, and you see any suspicious activity that makes its way to the inside.  
 
  Running Snort  
 
  Snort can be executed in many ways. It can be started to run in the foreground or as a daemon. It may be started to watch a network interface, or it may be started to read a binary dump from a tool like TCPDump. We will not cover all of the command line options for Snort. You have a Snort man page (or should) for that. We will basically show you how to use our example  snort.conf  file to watch your dialup interface and do it as a daemon. Here's the command line to do that:  
 
# snort -A full -c /etc/snort/snort.conf -D -h 10.0.0.0/24 -i ppp0
 
  Here,  briefly  is what these arguments do: The -A argument specifies how alerts will be formatted. The "full" option produces the output shown in the "alert" box of the action table. The -c argument specifies the rules file, in this case, the  snort.conf  file we made that includes a number of the Snort rules library files. The -D flag  tells  Snort to run as a daemon. The -h flag  names  the local network. Alerts from  nonlocal  addresses will be placed in  /var/log/snort  in a subdirectory whose  name  is the  dotted  decimal IP address of the remote computer that triggered the alert. The -i flag tells Snort to sniff packets from the ppp0 interface.  
 
  For details on the many command line options to Snort and their use,  consult  the Snort man page.  
 
     
 
 





			
		

		

		


		
Previous page
Table of content
Next page

		
 

    
Multitool Linux. Practical Uses for Open Source Software

	
Multitool Linux: Practical Uses for Open Source Software

	
    
ISBN: 0201734206
EAN: 2147483647

	 
Year: 2002
Pages: 257

	 
Authors: Michael Schwarz, Jeremy Anderson, Peter Curtis, Steven Murphy

	 
BUY ON AMAZON

  

	

	 


   

  

  




  

  

  

				
Project Management JumpStart

				

				
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)

				

				
Developing Tablet PC Applications (Charles River Media Programming)

				

				
Cisco IOS in a Nutshell (In a Nutshell (OReilly))

				

				
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain

				

				
InDesign Type: Professional Typography with Adobe InDesign CS2

				






	 

	 

      

	 	flylib.com © 2008-2017. 
If you may any questions please contact us: flylib@qtcs.net
		
 

		Privacy policy