SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 136 / 249 Scroll up to view Page 131 - 135

Intrusion Detection

131

Note

The more rule sets that are selected, the greater load is imposed on the CyberGuard SG

appliance.

Therefore a conservative rather than aggressive approach to adding rule sets

should be followed initially.

Figure 7-3

Check

Log results to database

to use a remote analysis server.

Note

If

Log results to database

is left unchecked, results will be output to the CyberGuard

SG appliance system log (

Advanced

->

System

Log

).

Advanced Intrusion Detection currently only supports

MySQL

as the

Database Type

.

Enter the name (table name) of the remote database in

Database Name

.

Enter the IP address of resolvable

Hostname

of the analysis server as well as the

Database port

.

For MySQL type databases, this is typically

3306

.

Sensor Name

is an arbitrary string that will be prepended to the log output.

This may be

useful if you have deployed more than one intrusion detection system.

Finally, if you have configured the remote database to require authentication using a

User name

and

Password

, enter them here.

Click

Apply

.

Page 137 / 249

Intrusion Detection

132

Setting up the analysis server

Specific open source tools are required to be installed on the Analysis server for a

straightforward evaluation.

The analysis server will typically be a Pentium IV level system running Linux (

Red Hat

,

Debian

, etc.) with sufficient memory and disk capacity to run a database and web server

with at least one Ethernet port.

With these tools installed, web pages can be created that

display, analyze and graph data stored in the MySQL database from the CyberGuard SG

appliance running Advanced Instrusion Detection.

They should be installed in the

following order:

MySQL

database

http://www.mysql.com/downloads/mysql-4.0.html

http://www.mysql.com/doc/en/index.html

Apache

web server

http://httpd.apache.org/download.cgi

http://httpd.apache.org/docs-2.0/

PHP

scripting language for developing web pages

http://www.php.net/downloads.php

http://www.php.net/download-docs.php

ADODB

library to hide differences between databases used by PHP

http://php.weblogs.com/adodb#downloads

GD

graphics library for GIF image creation used by PHP

http://www.boutell.com/gd/

Page 138 / 249

Intrusion Detection

133

PHPlot

graph library for charts written in PHP

http://www.phplot.com/

ACID

analysis console

http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b23.tar.gz

Snort will be running as an IDS sensor on the CyberGuard SG appliance and logging to

the MySQL database on the analysis server.

The following are detailed documents that

aid in installing the above tools on the analysis server.

http://www.snort.org/docs/snort_acid_rh9.pdf

http://www.andrew.cmu.edu/~rdanyliw/snort/acid_config.html

http://www.sfhn.net/whites/snortacid.html

Page 139 / 249

Web Cache

134

8. Web Cache

Note

SG565, SG575, SG580, SG635 and SG7xx series only.

Web browsers running on PCs on your LAN can use the CyberGuard SG appliance’s

proxy-cache server to reduce Internet access time and bandwidth consumption.

A proxy-cache server implements Internet object caching.

This is a way to store

requested Internet objects (i.e., data available via HTTP, FTP, and other protocols) on a

server closer to the user's network than on the remote site.

Typically the proxy-cache

server eliminates the need to re-download Internet objects over the available Internet

connection when several users attempt to access the same web site simultaneously.

The objects will be available in the cache (server memory or disk) and quickly accessible

over the LAN rather than the slower Internet link.

The CyberGuard SG appliance’s web cache keeps objects cached in memory and on a

LAN network share, caches Internet name (DNS) lookups and implements negative

caching of failed requests.

Using the lightweight Internet Cache Protocol, multiple web caches can be arranged in a

hierarchy or mesh.

This allows web cache peers to pull objects from each other’s

caches, further improving the performance of web access for an organisation with

multiple Internet gateway.

Page 140 / 249

Web Cache

135

Web Cache Setup

Select

Web cache

under

Networking

.

A page similar to the following will be displayed.

Figure 8-1

Check

Enable

to enable the web cache.

Cache size

Select the amount of memory (RAM) on the CyberGuard SG appliance to be reserved for

caching Internet objects.

The maximum amount of memory you can safely reserve will

depend on what other services the CyberGuard SG appliance has running, such as VPN

or a DHCP server.

If you will be using a

Network Share

(recommended, see below), it is generally best to

set this to

8 Megabytes

.

If you are unable to use a

Network Share

, start with a small cache (

8 Megabytes

or

16

Megabytes

) and gradually increase it until you find a safe upper limit where the

CyberGuard SG appliance can still operate reliably.

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share