Re: "Another" Newbie IDS Question

From: Burak DAYIOGLU (dayioglu@metu.edu.tr)
Date: 10/05/01


Message-ID: <3BBD733B.EE627918@metu.edu.tr>
Date: Fri, 05 Oct 2001 11:45:47 +0300
From: Burak DAYIOGLU <dayioglu@metu.edu.tr>
To: focus-ids@securityfocus.com
Subject: Re: "Another" Newbie IDS Question

Dave Vehrs wrote:
> OK, I see three problems with this model.
> ...

I want to add another problem. If some box (no matter what it does)
resides on the traffic path by forwarding packets and doing something
there is the potential that it becomes a candidate for failure.

Either unintentionally (cpu fan failure, disk crash etc.) or
intentionally (DoS attacks etc.) might put the box into a "down"
state in which the network would have been completely disconnected.

I agree with all of Dave's comments on the other problems.

> ----------- (1) --------------
> | Cheap Hub |--------| Snort Sensor |
> ----------- --------------
> | |
> ---------- | (2)
> | Firewall | |
> ---------- |
> | |
> -------------- -------------------
> | Cisco Switch |-- | Snort + DB + ACID |
> -------------- -------------------

One important comment on this suggestion might be not to connect the
management console to the corporate network as well. I'd prefer all
sensors to be connected to the management console (SnortSnarf, DeMarc
or whatever it is) via seperate cabling or else there is the
probability that the attackers tweak the management console and make
you blind. ;-)

regards.

-- 
Burak DAYIOGLU
Phone: +90 312 2103379   Fax: +90 312 2103333
       http://www.dayioglu.net