Host Intrusion Detection System Administrator's Guide Release 3.0

Configuration
Configuring a Multihomed Administration System
Chapter 2
27
Configuring a Multihomed Administration System
A multihomed system is one that has multiple connections to a network. Typically, a
multihomed system has more than one network interface card, each with a unique
address. While the system may have only one host name, the name resolution software
will usually return the IP address of one of the interfaces on the system.
In such configurations, the HP-UX HIDS administration system needs to know which
interface it should use to communicate with its agent systems. If the administration
system is multihomed, the idsgui script must be modified to contain the setting that
specifies the network address on which the administration system will listen.
To configure a multihomed administration system
Follow this procedure to configure your HP-UX HIDS administration and agent software
only if you are using a multihomed administration system.
Step 1. Determine if the administration system is multihomed. If you are not sure, use the
nslookup command to see what IP address corresponds to the system’s host name. If
more than one IP address is returned by nslookup, your system is multihomed. If only
one IP address is returned, your system is not multihomed.
No modifications are needed for a system that has only one IP address.
Step 2. Choose the one interface on which you want the HP-UX HIDS agent to communicate
with the administration system.
The choice of address will depend on your network topology. The address can be either an
IP address in dotted decimal notation (e.g., 1.2.3.4) or a host name that resolves to a
unique IP address on the administration system.
It is essential that a network route exists between the HP-UX HIDS administration
system and the HP-UX HIDS agent system. On the administration system, use the
/usr/bin/ping command (ping (1)) or the /usr/contrib/traceroute command to
verify that network traffic can flow between the systems. You may wish to choose the
address with the shortest transmission time (speed) or the fewest hops (exposure).
NOTE Since an administration system can only monitor agents that are on the same network, a
different administration system is required to monitor agents that are on a different
(physically separated) network, even if the administration system is connected to both
networks.
Step 3. On the multihomed administration host, become user ids:
$ su - ids
Step 4. Edit the System Manager script; for example:
$ vi /opt/ids/bin/idsgui
Step 5. Locate the INTERFACE variable in the GUI Configuration section. See idsgui (1M).