RE: IDS on VPN-GW

From: counter.spy@gmx.de
Date: 12/04/02

  • Next message: Gianni Tedesco: "Re: [ANN]: Firestorm 0.5.1 released"
    Date: Wed, 4 Dec 2002 15:21:31 +0100 (MET)
    From: counter.spy@gmx.de
    To: focus-ids@securityfocus.com
    
    

    >How well did Snort keep up, however?

    Well, this was a very basic experiment – sort of a proof of concept test -
    in order to see if sniffing on the virtual vpn-interface is possible.

    An example:
    there are side-effects with the vpn-driver if you install a winpcap driver
    on an
    NT-based vpn-gateway that cause malfunction of the gw.

    These problems do not occur on linux systems.
    In my tests I simply sent a packet from the client thru the tunnel to
    another
    vpn-machine behind the gw (gw-gw-coupling).
    The packet was crafted in such a way that it should trigger an alert.
    Snort properly detected all of my fake attacks that went thru the tunnel.

    I did not perform any benchmarks (regarding packet dropping statistics and
    impact on encryption-performance).
    My IDS-tests are none of my current official tasks but I do them
    nevertheless,
    because attack-detection in IPSec environments will become a task in the
    future.
    Out of that reason I posted this question to the list.

    I really think that the idea of another poster is much better than sniffing
    directly on the
    gateway: bridging or mirroring (how do you call it on a server?) all
    plaintext ip-traffic
    to a dedicated machine via a dedicated interface in a trusted segment.

    BTW: Does any drivers exist on NT or W2K for mirroring or bridging data to
    another NIC?
    This approach scales much better when using several loadbalanced vpn-gw's.
    E.g. traffic can be merged on a toplayer and flows can then be distributed
    to several IDSs.

    Another advantage would be that the vpn-gw is not loaded with the
    attack-detection itself
    for sake of performance.

    If you learn anything new in that field or if you perform further tests on
    your own I would be very grateful if you'd let me know the results.

    Thanks and kind regards,

    Detmar

     -----original message-----

    >How well did Snort keep up, however? I can't believe it wasn't missing
    >packets at that point...
    >
    >>-----Original Message-----
    >>From: Keith T. Morgan [mailto:keith.morgan@terradon.com]
    >>Sent: Monday, December 02, 2002 10:05 AM
    >>To: counter.spy@gmx.de
    >>Cc: focus-ids@securityfocus.com
    >>Subject: RE: IDS on VPN-GW
    >>
    >>
    >>We've deployed this scenario on Linux + Free S/Wan running snort on all
    >>physical interfaces and all ipsecX interfaces for folks. The fastest
    >>wire-speed we've had on one of these deployments is T1, and a PIII450
    >>has handled VPN traffic at wirespeed even with the added load of snort.
    >>Sorry I don't have any higher-bandwidth benchmarks for you.
    >>
    >>
    >>-----Original Message-----
    >>From: counter.spy@gmx.de [mailto:counter.spy@gmx.de]
    >>Sent: Friday, November 29, 2002 4:20 AM
    >>To: focus-ids@securityfocus.com
    >>Subject: IDS on VPN-GW
    >>
    >>
    >>>Hi folks,
    >>>I have recently tested snort on a vpn-gateway that runs on linux (just
    >>>for testing purposes, no productive server).
    >>>
    ...

    -- 
    +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
    NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
    


    Relevant Pages

    • Re: Snort + (OpenBSD or Linux)
      ... Snort + (OpenBSD or Linux) ... on packet analysis. ...
      (Focus-IDS)
    • [NEWS] Snort TCP Stream Reassembly Integer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Snort is a very popular open source network intrusion detection system. ... A workaround for this bug is to disable the TCP stream reassembly module. ... packets with the free command line packet creating utility called hping ...
      (Securiteam)
    • [UNIX] Buffer Overflow in Snort RPC Preprocessor
      ... A buffer overflow has been found in the Snort RPC normalization routines ... The first option will alert on any RPC fragmented record it finds. ... current packet length. ...
      (Securiteam)
    • Re: Linux packet drops
      ... Any older libpcap versions have problems on linux and also results in packet loss. ... We are using Snort on Linux in the binary packet capture mode (capture ... 512MB RAM and 72 GB SATA HDD, ... We also found that the drop increases when the I/O is high, ...
      (RedHat)
    • CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability]
      ... Snort TCP Stream Reassembly Integer Overflow Vulnerability ... packets with the free command line packet creating utility called hping ...
      (Focus-IDS)