RE: IDS on VPN-GW

From: counter.spy@gmx.de
Date: 12/04/02

  • Next message: Gianni Tedesco: "Re: [ANN]: Firestorm 0.5.1 released"
    Date: Wed, 4 Dec 2002 15:21:31 +0100 (MET)
    From: counter.spy@gmx.de
    To: focus-ids@securityfocus.com
    
    

    >How well did Snort keep up, however?

    Well, this was a very basic experiment – sort of a proof of concept test -
    in order to see if sniffing on the virtual vpn-interface is possible.

    An example:
    there are side-effects with the vpn-driver if you install a winpcap driver
    on an
    NT-based vpn-gateway that cause malfunction of the gw.

    These problems do not occur on linux systems.
    In my tests I simply sent a packet from the client thru the tunnel to
    another
    vpn-machine behind the gw (gw-gw-coupling).
    The packet was crafted in such a way that it should trigger an alert.
    Snort properly detected all of my fake attacks that went thru the tunnel.

    I did not perform any benchmarks (regarding packet dropping statistics and
    impact on encryption-performance).
    My IDS-tests are none of my current official tasks but I do them
    nevertheless,
    because attack-detection in IPSec environments will become a task in the
    future.
    Out of that reason I posted this question to the list.

    I really think that the idea of another poster is much better than sniffing
    directly on the
    gateway: bridging or mirroring (how do you call it on a server?) all
    plaintext ip-traffic
    to a dedicated machine via a dedicated interface in a trusted segment.

    BTW: Does any drivers exist on NT or W2K for mirroring or bridging data to
    another NIC?
    This approach scales much better when using several loadbalanced vpn-gw's.
    E.g. traffic can be merged on a toplayer and flows can then be distributed
    to several IDSs.

    Another advantage would be that the vpn-gw is not loaded with the
    attack-detection itself
    for sake of performance.

    If you learn anything new in that field or if you perform further tests on
    your own I would be very grateful if you'd let me know the results.

    Thanks and kind regards,

    Detmar

     -----original message-----

    >How well did Snort keep up, however? I can't believe it wasn't missing
    >packets at that point...
    >
    >>-----Original Message-----
    >>From: Keith T. Morgan [mailto:keith.morgan@terradon.com]
    >>Sent: Monday, December 02, 2002 10:05 AM
    >>To: counter.spy@gmx.de
    >>Cc: focus-ids@securityfocus.com
    >>Subject: RE: IDS on VPN-GW
    >>
    >>
    >>We've deployed this scenario on Linux + Free S/Wan running snort on all
    >>physical interfaces and all ipsecX interfaces for folks. The fastest
    >>wire-speed we've had on one of these deployments is T1, and a PIII450
    >>has handled VPN traffic at wirespeed even with the added load of snort.
    >>Sorry I don't have any higher-bandwidth benchmarks for you.
    >>
    >>
    >>-----Original Message-----
    >>From: counter.spy@gmx.de [mailto:counter.spy@gmx.de]
    >>Sent: Friday, November 29, 2002 4:20 AM
    >>To: focus-ids@securityfocus.com
    >>Subject: IDS on VPN-GW
    >>
    >>
    >>>Hi folks,
    >>>I have recently tested snort on a vpn-gateway that runs on linux (just
    >>>for testing purposes, no productive server).
    >>>
    ...

    -- 
    +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
    NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!