best ids placement?

From: SB CH (chulmin2_at_hotmail.com)
Date: 06/27/03

  • Next message: Keith W. McCammon: "Re: Foundry ServerIronXL Question" 
    To: focus-ids@securityfocus.com
Date: Fri, 27 Jun 2003 00:29:29 +0000

    Hello, all.

    I have read this document, subject is "Using Snort For a Distributed
    Intrusion Detection System" at
    http://www.sans.org/rr/paper.php?id=352

    according to this document, the proper placement say like this

    The first example of the remote sensor placement is if you have a
    high-speed connection
    to the Internet. You will want to monitor traffic coming from and going to
    that connection. The
    best way to achieve this would be to place a hub between the border router
    and your firewall.
                                                     ~~~~~~~~~
    dummy hub placement between router and firewall or main switch like this?

                      router
                         |
    IDS ---------HUB
                         |
                      Switch

    but another document say like this.
    due to the limitation of shared media, this cannont be used if the
    connection between the switch and router is a full-duplex connection, as
    collisions will degrade the throughput.
    and due to the limitation of shared media, it will increase the number of
    collisions impaction the flow of traffic between the router and switch.

    What's the true and how did you set ids placement and what is the best?
    using taps? or span port? or hub?

     
    Thjanks for your opinions.

    _________________________________________________________________
    È®ÀÎÇÏÀÚ. ¿À´ÃÀÇ ¿î¼¼ ¹«·á »çÁÖ, ±ÃÇÕ, ÀÛ¸í, Àü»ý °¡À̵å
    http://www.msn.co.kr/fortune/default.asp

    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------

  • Next message: Keith W. McCammon: "Re: Foundry ServerIronXL Question"

    Relevant Pages

    • Re: 2 Network Connections - How to Force Internet Explorer to use a Specific one
      ... communicate with LinkSys router on 192.168? ... a switch using ethernet. ... The current connection to the Internet is 64k ISDN. ... The next step would be to add USB based wireless adapters to ...
      (microsoft.public.windowsxp.general)
    • RE: best ids placement?
      ... covers placing an IDS into a swtiched environment and covers a good poriton ... if the router to switch connection is full duplex. ... Subject: best ids placement? ...
      (Focus-IDS)
    • Re: FC3 with BEFSR11 Linksys router slow connection
      ... >>Linksys, you know that you are not going to be getting more ... >>Full Duplex connection to the switch, ... > strange about the Linksys router. ...
      (Fedora)
    • Re: A Newbie Question about networking
      ... to switch the wireless off on the router when you don't need the laptop. ... If you want to share an Internet connection between multiple computers, the best way to do this is with a router as you are currently doing. ...
      (microsoft.public.windowsxp.network_web)
    • Re: dhcp, router and debian
      ... the power socket. ... up trying the connection and starts Exim4 anyway. ... It seems that if my router is running without problems already, exim connects fine through the router as well. ... I shutdown from within KDE and then I switch of the main socket on the wall. ...
      (Debian-User)
    • Quantcast