RE: Newbie IDS questions

From: Lee Brotherston (lee.brotherston@uk.easynet.net)
Date: 01/10/02

Previous message: ndesai01@tampabay.rr.com: "Re: Newbie IDS questions"
Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
Next in thread: Drew: "Re: Newbie IDS questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Lee Brotherston <lee.brotherston@uk.easynet.net>
To: 'Mike Hrubes' <MHrubes@wizmo.com>, FOCUS-IDS@SECURITYFOCUS.COM
Date: Thu, 10 Jan 2002 14:18:01 -0000

| I'm new to the IDS world. I understand what an IDS does, and why you
| need it, but I have some questions on the technical aspect of IDS. We
| are planning on implementing an IDS in the near future. The idea that
| has been proposed is to put the IDS in the path between connections,
| rather than connected in promiscuous mode. The reason they want to do
| this is so they can also run a blocking software, like portsentry, to
| block unwanted scans, etc.

You can do this, and you can do it transparently too :) I'm not 100% sure
how in Linux, but using something like OpenBSD you can happily install it to
work in bridging mode with some firewalling options, etc. And run Snort or
something like that on the top.

A couple of points you might want to bear in mind though. It might be worth
thinking about how many interfaces this is going to have and how much
traffic goes between them all. If it is doing the job of a switch or router
then remember that it is likely to be slower than dedicated
switching/routing hardware if you have high bandwidth usage.

And if it ever crashes or has network problems then you will loose
connectivity between the points that it bridges or routes. Where as if your
IDS sit's on the mirror-port of a switch you can reboot it to your hearts
content and it doesn't effect your network, you do of course loose the
ability to run firewalling, bandwidth limiting, etc on the same machine.

Lee

-- 
Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444

Previous message: ndesai01@tampabay.rr.com: "Re: Newbie IDS questions"
Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
Next in thread: Drew: "Re: Newbie IDS questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: best ids placement?
... covers placing an IDS into a swtiched environment and covers a good poriton ... if the router to switch connection is full duplex. ... Subject: best ids placement? ...
(Focus-IDS)
RE: IDS in a loadbalanced Network
... I am currentley searching for "good ways" to place IDS in our ... Each access switch is coupled to at ... specific Vlans may be present in different Server ... IDS in a loadbalanced Network ...
(Focus-IDS)
Re: IPS and Trunking
... feature of the switch - not the IDS." ... Most IDS products should be able to at least analyze traffic that arrives ... All Cisco IDS/IPS products have supported this for as long ... the VLAN traffic arrives on through the trunk port, ...
(Focus-IDS)
RE: TAP location
... > IDS might get you in trouble. ... that you should own the switch, and enforce the rules of configuring the ... going between the direct NIC and the Switch port. ... >>Utilising DNS port as a back channel: I use a forwarder for my internet ...
(Focus-IDS)
Re: IDS
... Any IDS will work in a switched network as ... long as the switch allows you to have a 'spanning port' ... > I looked at ettercap, but it does not fully meet my needs, i need> non-interactive IDS, not a collector, if the snort were working in> switched network environment, it would be enough for me. ...
(Security-Basics)