RE: best ids placement?

• Previous message: Richard Bejtlich: "Anyone else using Argus for monitoring?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'SB CH'" <chulmin2@hotmail.com>, <focus-ids@securityfocus.com>
Date: Mon, 30 Jun 2003 10:42:09 -0700

You can take a look at a document I wrote at http://www.snort.org/docs/ it
covers placing an IDS into a swtiched environment and covers a good poriton
of the pros/cons it¡¯s a little outdated as I wrote it about 3 years ago or
more.

With what you are looking at I would not recommend a hub in that possision
you are talking about because of the collisions issues, this is magnified
if the router to switch connection is full duplex. If your switch supports
it you can span the port that goes to the router but you may overload the
port, plus spaning packets is low priority in the switch so even if the
port is overloaded the swtich may not span all packets. The only thing I
have seen that will garuntee or atleast get you as much as can be garunteed
is taps with the legs form the taps being fed into a toplayer or similar
type of switch. If the load is low enough you can take the two legs from a
tap and send them to a hub. You will run into collision issues but it will
impact the ids where as the hub placement you have no will impact the
network.

I hope that makes sense if not drop me a private email.

Cheers,
Brian

-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650.367.9376
eFax: +1 650.249.3443
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------

-----Original Message-----
From: SB CH [mailto:chulmin2@hotmail.com]
Sent: Thursday, June 26, 2003 5:29 PM
To: focus-ids@securityfocus.com
Subject: best ids placement?

Hello, all.

I have read this document, subject is "Using Snort For a Distributed
Intrusion Detection System" at
http://www.sans.org/rr/paper.php?id=352

according to this document, the proper placement say like this

The first example of the remote sensor placement is if you have a
high-speed connection
to the Internet. You will want to monitor traffic coming from and going to
that connection. The
best way to achieve this would be to place a hub between the border router
and your firewall.
                                                 ~~~~~~~~~ dummy hub
placement between router and firewall or main switch like this?

                  router
                     |
IDS ---------HUB
                     |
                  Switch

but another document say like this.
due to the limitation of shared media, this cannont be used if the
connection between the switch and router is a full-duplex connection, as
collisions will degrade the throughput.
and due to the limitation of shared media, it will increase the number of
collisions impaction the flow of traffic between the router and switch.

What's the true and how did you set ids placement and what is the best?
using taps? or span port? or hub?

 
Thjanks for your opinions.

_________________________________________________________________
È®ÀÎÇÏÀÚ. ¿À´ÃÀÇ ¿î¼¼ ¹«·á »çÁÖ, ±ÃÇÕ, ÀÛ¸í, Àü»ý °¡À̵å
http://www.msn.co.kr/fortune/default.asp

----------------------------------------------------------------------------

---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---
-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

• Previous message: Richard Bejtlich: "Anyone else using Argus for monitoring?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]