Installation configuration

Technical support forum for Qbik NetPatrol - our new Intrusion Detection System.

Moderator: Qbik Staff

Installation configuration

Postby ollieno » Apr 08 05 8:47 pm

HI,

I' m doing some tests with the trial version.

The Help file does help a little , but my network configuration isn't presentedin your scenarii.

My network is connected to the internet through my "Hard" Firewal (Ntasq F100 , hardware Firewall) which also does the nat for the network.

So if i understand correctly the Help file, i should install the netpatrol machine between my firewall and the network.

Are there compatibility problems i should expect during the install and parameters ?
ollieno
 
Posts: 4
Joined: Apr 08 05 8:32 pm
Location: paris, france

Postby genie » Apr 08 05 11:19 pm

In you case you may consider pluging NetPatrol machine through a hub which provides a connectoid between your firewall and the rest of the network - then NetPatrol will be able to see all packets in promiscouis mode. Then another thing to configer is your network distribution - that is what IP addresses are considered home (internal) - say, the entire range of 192.168.2.0/255.255.255.0.
genie
Qbik Staff
 
Posts: 1788
Joined: Sep 30 03 10:29 am

Postby ollieno » Apr 08 05 11:48 pm

i ve already seen for my network detection ( explained in the help file )

My ntework is connected to the firwall using our entreprise swith .. wont using a hub to conenct the netpatrol machine , speed down a little the network traffic ?
ollieno
 
Posts: 4
Joined: Apr 08 05 8:32 pm
Location: paris, france

Postby genie » Apr 09 05 1:08 am

Reason behind this hub connection was the ability of NetPatrol to oversee all the traffic to and from your local network - without it NetPatrol will be able to see only packets travelling in the same segment (switch-wise) as it is located itself.
genie
Qbik Staff
 
Posts: 1788
Joined: Sep 30 03 10:29 am

Postby ollieno » Apr 12 05 8:50 pm

Hi,

I continue to test and configure NetPatrol , and have new questions.

I do have errors opening files when updating the databases ( Apnic, Ripe ..)

What did i do wrong ?


Do i need to Ban IP for most of the unknown connections listed in the TopIP list?

Regards,
ollieno
 
Posts: 4
Joined: Apr 08 05 8:32 pm
Location: paris, france

Postby genie » Apr 12 05 10:27 pm

The Apnic and such updates are done through FTPand NPConsole uses standard IE FTP settings - check if you can get to any FTP server from IE.

The Top IP list is mostly a reference to a potentially dangerous IP addresses. This list is supported by the administrators all around the world and as such is not free of bias. It gets updated every 10 minutes or such and as a matter of fact is just a way for you to mark the most dangerous IP addresses as unacceptable. Note, however, that in many cases these reportedly dangerous IPs are innocent (bias again).
genie
Qbik Staff
 
Posts: 1788
Joined: Sep 30 03 10:29 am

Postby ollieno » Apr 14 05 3:49 am

All seems to work now .

Thanks for the help

I do test the Alter logging behavior concerning certain rules ( network handshake recognised as Lsass attack ) and many identity switchs.

How does work the Ban Ip ? temporary or permanent ? is Netpatrol doing the banning or need i ban the Ip from my Firewall ?

regards,
ollieno
 
Posts: 4
Joined: Apr 08 05 8:32 pm
Location: paris, france

Postby genie » Apr 14 05 10:15 am

It depends. Banning actually can be done in two ways:

- Manual ban - when you simply invoke ban/unban operation from the console
- Automatic ban which is controlled by the rules (proaction part) where you can ban source. destination or any other IP address either for the certain period of time or permanently.

In order for ban to work NetPatrol should have access to Wingate v 6 and higher. Alternatevely, NetPatrol logs all ban requests in an external file called locks/locking.txt - it can be parsed by a 3rd party app and used to control other firewalls.
genie
Qbik Staff
 
Posts: 1788
Joined: Sep 30 03 10:29 am


Return to NetPatrol

Who is online

Users browsing this forum: No registered users and 1 guest