RE: IDS on Switched Networks

From: Chris Eidem (jceidem@dexma.com)
Date: 12/05/01 

Date: Wed, 5 Dec 2001 08:53:37 -0600
From: "Chris Eidem" <jceidem@dexma.com>
To: <stoeckp@research.panasonic.com>, <focus-ids@securityfocus.com>

Scott Sanchez has a great pdf diagram that may help you get started in
NIDS placement here
http://infosec.gungadin.com/papers/scott_c_sanchez_cissp-ids-zone-theory
-diagram.pdf

I can't grok your network setup, but basically the typical approach is
something like this:

                          |
                          |
                          |
                    +-----+------+
                    | Router |
                    | to |
                    | ISP |
                    +-----+------+
                          |
             +----------->|
             | |
             | |
             | +-----+------+
             | | |
             | | firewall |
             | | |
             | +-----+------+
             | |
             +----------->|
             | |
             | |
             | +-----+------+
             | | |
      Place NID | switch |
        sensors | |
           here +-----+------+

this is so that you can see stuff coming in before the firewall
(un-natted, readdressed or before being dropped) and one to see if
anything funny is going out. there are more places to put them, but
basically you can set up a span port on a cisco switch that all the
traffic from a vlan is mirrored and run your detector there.

so the long answer to your question about the hub and the firewall is
yes.

chris

> -----Original Message-----
> From: Paul W. Stoecker, Ph.D. [mailto:stoeckp@research.panasonic.com]
> Sent: Tuesday, December 04, 2001 7:56 PM
> To: focus-ids@securityfocus.com
> Subject: IDS on Switched Networks
>
>
> Folks,
>
> If you are on a switched network, do you have to place your
> NIDS sensor
> in a location that can capture everything. For instance, my
> firewall is
> connected into a router which contains all of my switches and
> acts as a
> switch itself.
>
> Do I have to put the sensor in the critical path? Does that
> mean that I
> have to put a sensor on the Firewall, use another machine that is a
> router, or do I need a hub for the sensor and firewall to share?
>
> Your help is greatly appreciated.
>
> Paul
>
> --
> Paul W. Stoecker, Ph.D
> Network and Information Systems Manager
> Checkpoint Certified Security Administrator
> Panasonic Technologies Company
> Two Research Way
> Princeton, NJ 08540
> Phone: (609) 734-7584
> FAX: (609) 987-8827
>

Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... You can't have separate subnets separated by a switch. ... is only because the firewall is going to be doing NAT in addition to ... > Subject: Re: Secure Network Design ...
    (Security-Basics)
  • Re: Home Network Setup Problem
    ... >> challenge of my own home network. ... Probably it is just a plain old switch ... Otherwise it will not hand packets from one network ... There is no firewall to complicate the setup. ...
    (freebsd-questions)
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... 192.168.1.0/24 network and another one on the ... Any thoughts on the IPTables vs. a commercial firewall thing? ... You can't have separate subnets separated by a switch. ...
    (Security-Basics)
  • Re: Tap info request...
    ... I belive that you have to go with some kind of content switch. ... The idea is that you look at your network traffic and filter off the web ... the traffic went to one sensor and half went to the other. ... > Subject: Tap info request... ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... separated from the dbs by a firewall - transparent or router (different ... Secure Network Design ... > then why have a separate network? ... > switch. ...
    (Security-Basics)