Host Intrusion Detection System Administrator's Guide Release 3.1

Configuration
Configuring a Multihomed Agent System
Chapter 2
25
Configuring a Multihomed Agent System
A multihomed system is one that has multiple connections to a network. Typically, a
multihomed system has more than one network interface card, each with a unique
address. While the system may have only one host name, the name resolution software
will usually return the IP address of one of the interfaces on the system.
In such configurations, the HP-UX HIDS agent needs to know which interface it must
“listen on” for commands from the HP-UX HIDS administration system. Therefore, the
HP-UX HIDS agent configuration file must contain the setting that specifies the network
address on which the HP-UX HIDS agent will listen.
To configure your HP-UX HIDS agent in a multihomed environment, complete the
following procedure:
Step 1. Determine if the agent system is multihomed. If you are not sure, use the nslookup
command to see what IP address corresponds to the host name of the system. If more
than one IP address is returned by nslookup, your system is multihomed. If only one IP
address is returned, your system is not multihomed.
No modifications are needed for a system that has only one IP address.
Step 2. Choose the one interface on which you want the HP-UX HIDS agent to communicate
with the administration system.
The choice of address will depend on your network topology. The address can either be an
IP address in dotted decimal notation (e.g., 1.2.3.4) or a host name that resolves to a
unique address on the system where the agent resides.
It is essential that a network route exists between the HP-UX HIDS administration
system and the HP-UX HIDS agent system. On the administration system, use the
/usr/bin/ping command (ping (1)) or the /usr/contrib/traceroute command to
verify that network traffic can flow between the systems. You may wish to choose the
address with the shortest transmission speed or the fewest hops (exposure).
NOTE Later, you will enter the IP address or host name you choose into a configuration screen
in the HP-UX HIDS System Manager. See Chapter 6, “Host Manager Screen,” on
page 85 for more details.
Step 3. On the multihomed agent host, become user ids:
$ su - ids
Step 4. Edit the configuration file; for example:
$ vi /etc/opt/ids/ids.cf
Step 5. Locate the IDS_LISTEN_IFACE parameter in the Globals section. (See Appendix D, “The
Agent Configuration File” on page 219“ for more details on the layout of the ids.cf file.)
Step 6. Remove the comment symbol (#) from the start of the line and place your interface
address chosen in step 2 above after the parameter name. For example, change