Re: IDS using Taps & network bridging

From: nate (focus-ids@aphroland.org)
Date: 11/18/02

  • Next message: Oliver Friedrichs: "DeepSight Analyzer 4.0 Announcement"
    Date: Sun, 17 Nov 2002 23:39:50 -0800 (PST)
    From: "nate" <focus-ids@aphroland.org>
    To: <focus-ids@securityfocus.com>
    
    

    > Hi,

    > 1. Hub - full duplex issues - scrapped that idea!
    > 2. Bridged network cards - sniffing the bridged interface has been
    > problematic. It works but there seems to be an ARP DoS - any ideas on
    > this would be great!

    haven't tried it under linux, but works good under freebsd. ARP DOS
    I think shouldn't be an issue as long as the bridges are seperate.
    probably best to have 1 machine per bridge rather then multiple
    bridges on 1 machine(so it has seperate arp tables). I have encountered
    arp problems with misconfigured multihomed machines sending packets
    out the wrong interfaces and with external networks incorrectly sharing
    a hub causing major problems. Of course bridge has the additional
    advantage to being transparent, its wonderful being able to
    disconnect the bridge(e.g. kernel upgrade which requires downtime)
    and have only a few seconds downtime(enough to switch cables) without
    any network reconfiguration. Of course my networks are small enough
    and haven't really been attacked.

    > 3. Multi port NIC that has software to aggregate. The only solution I've
    > found for this only has drivers for Windows.

    If you got the cash, a Znyx card will do the job. they have fully
    open source drivers for linux, binary drivers for freebsd(and many
    many other OSs), they have RainLINK, a custom software package to
    provide several things including aggregate I believe(though I have
    not used it myself). I have used their 4 port cards under FreeBSD,
    the 4 port cards run about $750. At least under freebsd, the Znyx
    cards(4 port at least) do not work with the default drivers(DEC),
    the system detects the card but a link with the switch didn't happen
    until I loaded the Znyx drivers. With 4 port cards and a good
    motherboard you could probably get 20 interfaces in 1 machine if
    you really wanted to.

    another option is those dedicated port mirroring switch like things
    (forgot their names), and no I don't mean a switch which has a port
    mirroring feature:)

    > I'm open to any suggestions but I'm really interested in the network
    > bridging. What I've done so far is:
    > -Install 3 NICs in my box
    > -Bridged eth1 & eth2 to br0
    > -started up the bridge
    > -sniffed br0

    perhaps try freebsd? I love linux and use it nearly everywhere, but
    I've read that freebsd is really good at networking so I tested and
    deployed it in bridged mode about a year ago, and it works great,
    at the same time I can run ipfw for a firewall, traffic accounting,
    and traffic shaping at the same time. Your the first person I've
    read about that has tried linux's bridging feature. the only downside
    is I have read about bugs in the bridging code in freebsd in the
    past which caused kernel panics or something(or other serious
    problems, not sure how long ago it was), so I suppose its possible
    to crash the system which has the bridge, though I've never had this
    happen even in enviornments where arp was going crazy, and enviornments
    where my cisco 2500 routers were crippled by thousands of tiny UDP
    packets, the bridge never flinched(monitoring 2 T1 lines).

    my home network is a freebsd box with 4 NICs, 2 bridged, 1 management
    and 1 not being used. runs ipfw on fxp0(connected to dsl modem which
    is bridged as well), and snort on fxp1(connected to my switch), so
    that snort doesn't detect stuff thats dropped at the firewall.

    despite freebsd being a great firewall/bridge I'm not about to
    replace any of my debian machines with it anywhere else:)

    if you would like more detailled info on my setup drop me a line.

    good luck.

    nate



    Relevant Pages

    • Re: How to bind a static ether address to bridge?
      ... For a switched network if_bridge and ARP have to be integrated, ... whether they require forwarding through the bridge or not. ... ARP response flows in on member interface A with an ether destination ...
      (freebsd-stable)
    • Senao 2611CB3+Deluxe setup issue, network configuration issue, or both?
      ... Given success with the coverage provided by the 3054CB3, I acquired a 2611CB3+Deluxe as a wireless ethernet adapter (wireless client bridge), ... I have set up the 2611CB3+Deluxe as a point-to-point client bridge at 192.168.1.1, also on Channel 10, with the office SSID and WEP key. ... The problem is I cannot get network connectivity from the desktop via the 2611CB3+Deluxe bridge. ... The network worked fine with the 3054 in AP mode, serving only laptops running the 2511CD cards. ...
      (alt.internet.wireless)
    • Re: Configure FC2 as Bridge
      ... I have a custom init.d script which starts my bridge. ... where $CARDS contains a list of the cards I'm adding into the bridge. ... will put it into promiscuous mode, ... As to network cards, you only need 2 to make a bridge. ...
      (Fedora)
    • Network bridge, but assigned IP address
      ... which consists of 5 network interface cards. ... basically acting as a switch. ... So far without the bridge everything is working perfectly, ...
      (freebsd-questions)
    • Re: Bridge and dhcpd problem
      ... bridge. ... public IP's to utilize them behind our private network. ... is turned on and some system requests a dhcp address, ... address) and make sure you do not see any ARP relies in the ARP cache. ...
      (comp.os.linux.networking)