4. Defining your network map


Now that all has been said on tightening local network security by applying it on every host and making sure all our logs are at the same place(s) (for more details on this topic, read my paper "Securing the internal Microsoft network" or other related papers on the same topic), let's get down to LogIDS's configuration itself. The first aspect to look at, and maybe the funniest, is the network map definition. The network map is defined by the file map.txt, which is an ASCII file representing your network environment. The file must be seen as a two-dimension matrix, representing the screen, and each character represents a square of 60 pixels X 60 pixels. Some characters are reserved, while leaving users with 5-characters token to identify your network nodes (these can be hosts, servers, dedicated IDS consoles, firewalls, subnets, etc.).

The reserved characters are as follows:

0 = a white space
| = a vertically-oriented network wire
- = a horizontally-oriented network wire
+ = a cross-wire, used to link together objects that are on the same LAN, or to make corners with the wire
##### = reserved word to define the Internet/external network

You can define as many network items as you want, simply by creating a 5-character label that will identify it (not starting by one of the reserved characters). The network map displayed in Figure 1 (Chapter 1) is obtained by using this configuration in map.txt (best displayed with a 1024 X 768 pixels):

#####00000000000
00|00000+--DNS1a
FRWLL+00+--WEBAa
00|00+DMZ1a00000
00|0000000000000
00+--LAN2a+IDS1a
LAN1a00000+PDC1a
00|0000000+BDC1a
00+INTRa00+FIL1a
00+ADMCa00+MAILa
00+IDS2a00000000
0000000000000000

Note how the '+' characters evens out with the empty spaces surrounding it, so it makes for a clearer network map with less clutter to handle in the file map.txt. If you're seeing systems being connected together while they normally shouldn't, it is because you have put them too close to each other near a '+' character. Note however that all the wiring is only cosmetics, and is provided only so that you can build a comprehensive representation of the various hosts reporting. You can as well just stack up all your network items one on top of the other, by columns, but that would leave LogIDS's interface only a slight modification of the traditional way to display log data. Now that we have defined our network map, let's move to the next item, defining the network items themselves.

3. Centralising your logs
5. Defining your network items