RE: IDS on VPN-GW
From: counter.spy@gmx.de
Date: 12/04/02
- Previous message: ids-lists@hushmail.com: "Reports from Cisco IDS"
- Maybe in reply to: Keith T. Morgan: "RE: IDS on VPN-GW"
- Next in thread: Mike Lyman: "RE: IDS on VPN-GW"
- Reply: Mike Lyman: "RE: IDS on VPN-GW"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 4 Dec 2002 15:21:31 +0100 (MET) From: counter.spy@gmx.de To: focus-ids@securityfocus.com
>How well did Snort keep up, however?
Well, this was a very basic experiment – sort of a proof of concept test -
in order to see if sniffing on the virtual vpn-interface is possible.
An example:
there are side-effects with the vpn-driver if you install a winpcap driver
on an
NT-based vpn-gateway that cause malfunction of the gw.
These problems do not occur on linux systems.
In my tests I simply sent a packet from the client thru the tunnel to
another
vpn-machine behind the gw (gw-gw-coupling).
The packet was crafted in such a way that it should trigger an alert.
Snort properly detected all of my fake attacks that went thru the tunnel.
I did not perform any benchmarks (regarding packet dropping statistics and
impact on encryption-performance).
My IDS-tests are none of my current official tasks but I do them
nevertheless,
because attack-detection in IPSec environments will become a task in the
future.
Out of that reason I posted this question to the list.
I really think that the idea of another poster is much better than sniffing
directly on the
gateway: bridging or mirroring (how do you call it on a server?) all
plaintext ip-traffic
to a dedicated machine via a dedicated interface in a trusted segment.
BTW: Does any drivers exist on NT or W2K for mirroring or bridging data to
another NIC?
This approach scales much better when using several loadbalanced vpn-gw's.
E.g. traffic can be merged on a toplayer and flows can then be distributed
to several IDSs.
Another advantage would be that the vpn-gw is not loaded with the
attack-detection itself
for sake of performance.
If you learn anything new in that field or if you perform further tests on
your own I would be very grateful if you'd let me know the results.
Thanks and kind regards,
Detmar
-----original message-----
>How well did Snort keep up, however? I can't believe it wasn't missing
>packets at that point...
>
>>-----Original Message-----
>>From: Keith T. Morgan [mailto:keith.morgan@terradon.com]
>>Sent: Monday, December 02, 2002 10:05 AM
>>To: counter.spy@gmx.de
>>Cc: focus-ids@securityfocus.com
>>Subject: RE: IDS on VPN-GW
>>
>>
>>We've deployed this scenario on Linux + Free S/Wan running snort on all
>>physical interfaces and all ipsecX interfaces for folks. The fastest
>>wire-speed we've had on one of these deployments is T1, and a PIII450
>>has handled VPN traffic at wirespeed even with the added load of snort.
>>Sorry I don't have any higher-bandwidth benchmarks for you.
>>
>>
>>-----Original Message-----
>>From: counter.spy@gmx.de [mailto:counter.spy@gmx.de]
>>Sent: Friday, November 29, 2002 4:20 AM
>>To: focus-ids@securityfocus.com
>>Subject: IDS on VPN-GW
>>
>>
>>>Hi folks,
>>>I have recently tested snort on a vpn-gateway that runs on linux (just
>>>for testing purposes, no productive server).
>>>
...
-- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
- Next message: Gianni Tedesco: "Re: [ANN]: Firestorm 0.5.1 released"
- Previous message: ids-lists@hushmail.com: "Reports from Cisco IDS"
- Maybe in reply to: Keith T. Morgan: "RE: IDS on VPN-GW"
- Next in thread: Mike Lyman: "RE: IDS on VPN-GW"
- Reply: Mike Lyman: "RE: IDS on VPN-GW"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
