RE: best ids placement?

From: Brian Laing (brian.laing_at_blade-software.com)
Date: 06/30/03

  • Next message: Anton A. Chuvakin: "RE: Views and Correlation in Intrusion Detection"
    To: "'SB CH'" <chulmin2@hotmail.com>, <focus-ids@securityfocus.com>
    Date: Mon, 30 Jun 2003 10:42:09 -0700
    
    

    You can take a look at a document I wrote at http://www.snort.org/docs/ it
    covers placing an IDS into a swtiched environment and covers a good poriton
    of the pros/cons it’s a little outdated as I wrote it about 3 years ago or
    more.

    With what you are looking at I would not recommend a hub in that possision
    you are talking about because of the collisions issues, this is magnified
    if the router to switch connection is full duplex. If your switch supports
    it you can span the port that goes to the router but you may overload the
    port, plus spaning packets is low priority in the switch so even if the
    port is overloaded the swtich may not span all packets. The only thing I
    have seen that will garuntee or atleast get you as much as can be garunteed
    is taps with the legs form the taps being fed into a toplayer or similar
    type of switch. If the load is low enough you can take the two legs from a
    tap and send them to a hub. You will run into collision issues but it will
    impact the ids where as the hub placement you have no will impact the
    network.

    I hope that makes sense if not drop me a private email.

    Cheers,
    Brian

    -------------------------------------------------------------------
    Brian Laing
    CTO
    Blade Software
    Cellphone: +1 650.280.2389
    Telephone: +1 650.367.9376
    eFax: +1 650.249.3443
    Blade Software - Because Real Attacks Hurt
    http://www.Blade-Software.com
    -------------------------------------------------------------------

    -----Original Message-----
    From: SB CH [mailto:chulmin2@hotmail.com]
    Sent: Thursday, June 26, 2003 5:29 PM
    To: focus-ids@securityfocus.com
    Subject: best ids placement?

    Hello, all.

    I have read this document, subject is "Using Snort For a Distributed
    Intrusion Detection System" at
    http://www.sans.org/rr/paper.php?id=352

    according to this document, the proper placement say like this

    The first example of the remote sensor placement is if you have a
    high-speed connection
    to the Internet. You will want to monitor traffic coming from and going to
    that connection. The
    best way to achieve this would be to place a hub between the border router
    and your firewall.
                                                     ~~~~~~~~~ dummy hub
    placement between router and firewall or main switch like this?

                      router
                         |
    IDS ---------HUB
                         |
                      Switch

    but another document say like this.
    due to the limitation of shared media, this cannont be used if the
    connection between the switch and router is a full-duplex connection, as
    collisions will degrade the throughput.
    and due to the limitation of shared media, it will increase the number of
    collisions impaction the flow of traffic between the router and switch.

    What's the true and how did you set ids placement and what is the best?
    using taps? or span port? or hub?

     
    Thjanks for your opinions.

    _________________________________________________________________
    확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드
    http://www.msn.co.kr/fortune/default.asp

    ----------------------------------------------------------------------------

    ---
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training
    sessions, 
    1,800 delegates from 30 nations including all of the top experts, from
    CSO's to 
    "underground" security specialists.  See for yourself what the buzz is
    about!  
    Early-bird registration ends July 3.  This event will sell out.
    www.blackhat.com
    ----------------------------------------------------------------------------
    ---
    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------
    

  • Next message: Anton A. Chuvakin: "RE: Views and Correlation in Intrusion Detection"

    Relevant Pages

    • best ids placement?
      ... the proper placement say like this ... that connection. ... best way to achieve this would be to place a hub between the border router ... dummy hub placement between router and firewall or main switch like this? ...
      (Focus-IDS)
    • [security bulletin] HPSBHF03052 rev.2 - HP Network Products running OpenSSL, Multiple Remote Vul
      ... HPSBHF03052 rev.2 - HP Network Products running OpenSSL, ... JG619A HP FF 12910 Switch AC Chassis ... JC085A HP A12518 Switch Chassis ... JG361A HP HSR6802 Router Chassis ...
      (Bugtraq)
    • [security bulletin] HPSBGN02929 rev.1 - HP Intelligent Management Center (iMC), HP IMC Branch In
      ... JC085A HP A12518 Switch Chassis ... JD432A HP A-MSR20-21 Multi-Service Router ... H3C MSR 20-20 ...
      (Bugtraq)
    • Re: sharing a firewall?
      ... so we can all share one dial-up connection. ... and the switch should provide better performance. ... Networks" or "File and printer sharing for Microsoft Networks" to the modem! ... Maybe a Google search on "dial-up router" might turn up others. ...
      (microsoft.public.windowsxp.network_web)
    • Re: sharing a firewall?
      ... so we can all share one dial-up connection. ... and the switch should provide better performance. ... Networks" or "File and printer sharing for Microsoft Networks" to the modem! ... Maybe a Google search on "dial-up router" might turn up others. ...
      (microsoft.public.security)