Re: Bridge IDS
From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 08/05/04
- Previous message: DeGennaro, Gregory: "RE: Bridge IDS"
- In reply to: Lee Sheng: "Bridge IDS"
- Next in thread: Olli Jarva: "Re: Bridge IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 05 Aug 2004 11:35:56 -0400 To: Lee Sheng <momosisco@hotmail.com>
Most IPS devices can be implemented in passive mode. The important
thing here is that you probably need network availability, which is the
beauty of using a network tap with an IDS. The good news is that many
IPS devices come with sever closed (just like a network tap) or sever
open interfaces, depending on your preference. You want sever closed,
so that if the IPS goes down, your network will still be functional.
Then, if you simply don't implement the blocking portion, and just leave
it in detection mode, you've essentially got a bridging, highly
available IDS. If you were to just use plain old NIC's like you are
suggesting, then you would risk the possibility of taking down your
network if the Sensor should fail.
Of course, if you can't afford the cost of a $500 tap along with your
free snort box, you probably can't afford the types of products that
would include this bridging, sever closed technology either. I know
that NFR's proprietary NIC's that perform this high availability
function cost more than a $500 tap. But.... sometimes you get what you
pay for. :) You might be better off watching ebay for a network tap
for your IDS if price is the issue. Or, try using a $50 hub from
bestbuy as your bridge, then just have your Snort IDS box sniff that.
good luck,
dave
Lee Sheng wrote:
> All,
>
>
> Perhaps this is silly question, however I wanna know that if bridge
> firewall can be done, how about building a bridge IDS. I know there is
> snort-inline(consoder IPS) that we can use but what I mean is just
> snort without patching. Using three network interface, two for
> building a bridge and one for console. Can it be done? Tap is far too
> expensive for individual like me :)
>
> Any suggestion would be appreaciated! Thanks.
>
>
> Regards,
> Lee
>
> _________________________________________________________________
> Using a handphone prepaid card? Reload your credit online!
> http://www.msn.com.my/reloadredir/default.asp
>
>
> --------------------------------------------------------------------------
>
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE
> IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> learn more.
> --------------------------------------------------------------------------
>
>
-- David W. Goodrum Senior Systems Engineer NFR Security 703.731.3765 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: DeGennaro, Gregory: "RE: Bridge IDS"
- In reply to: Lee Sheng: "Bridge IDS"
- Next in thread: Olli Jarva: "Re: Bridge IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
