Create a Distributed Stealth Sensor Network
Keep your IDS sensors safe from attack, while still giving yourself access to their data.
Your IDS sensors are the early warning system that can both alert you to an attack and provide needed evidence for investigating a break-in after one has occurred. You should take extra care to protect them and the data that they collect. One way to do this is to run your IDS sensors in stealth mode.
To do this, simply don't configure an IP address for the interface from which your IDS software will be collecting data:
# tcpdump -i eth1 tcpdump: bind: Network is down # ifconfig eth1 up promisc # ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:DE:AD:BE:EF:00 UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0x1c80 # /usr/sbin/tcpdump -i eth1 tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: listening on eth1
After you've put up the interface, just start your IDS. It will run as normal, but since there is no way to directly access the machine, it will be very difficult to attack.
However, like any potential attackers, you will also be unable to access the machine remotely. Therefore, if you want to manage the sensor remotely, you'll need to put in a second network interface. Of course, if you did this and hooked it up to the same network that the IDS sensor was monitoring, it would totally defeat the purpose of running the other interface without an IP address. To keep the traffic isolated, you should create a separate network for managing the IDS sensors. Attach this network to one that is remotely accessible, and then firewall it heavily.
Another approach is to access the box using an alternate channel, such as a serial port connected to another machine that does have a network connection. Just run a console on the serial port, and take care to heavily secure the second machine. You could also connect a modem (remember those?) to an unlisted phone number or, better yet, an unlisted extension on your office's private branch exchange. Depending on your situation, simply using the console for access may be the simplest and most secure method.
Which method to use for remote access is a choice you'll have to make by weighing the value of increased security against the inconvenience of jumping through hoops to access the machine. Security nearly always involves a trade-off between convenience and confidence.