Re: Bridge IDS

From: David W. Goodrum (
Date: 08/05/04

  • Next message: Ron Gula: "hubs and switches"
    Date: Thu, 05 Aug 2004 11:35:56 -0400
    To: Lee Sheng <>

    Most IPS devices can be implemented in passive mode. The important
    thing here is that you probably need network availability, which is the
    beauty of using a network tap with an IDS. The good news is that many
    IPS devices come with sever closed (just like a network tap) or sever
    open interfaces, depending on your preference. You want sever closed,
    so that if the IPS goes down, your network will still be functional.
    Then, if you simply don't implement the blocking portion, and just leave
    it in detection mode, you've essentially got a bridging, highly
    available IDS. If you were to just use plain old NIC's like you are
    suggesting, then you would risk the possibility of taking down your
    network if the Sensor should fail.

    Of course, if you can't afford the cost of a $500 tap along with your
    free snort box, you probably can't afford the types of products that
    would include this bridging, sever closed technology either. I know
    that NFR's proprietary NIC's that perform this high availability
    function cost more than a $500 tap. But.... sometimes you get what you
    pay for. :) You might be better off watching ebay for a network tap
    for your IDS if price is the issue. Or, try using a $50 hub from
    bestbuy as your bridge, then just have your Snort IDS box sniff that.

    good luck,


    Lee Sheng wrote:

    > All,
    > Perhaps this is silly question, however I wanna know that if bridge
    > firewall can be done, how about building a bridge IDS. I know there is
    > snort-inline(consoder IPS) that we can use but what I mean is just
    > snort without patching. Using three network interface, two for
    > building a bridge and one for console. Can it be done? Tap is far too
    > expensive for individual like me :)
    > Any suggestion would be appreaciated! Thanks.
    > Regards,
    > Lee
    > _________________________________________________________________
    > Using a handphone prepaid card? Reload your credit online!
    > --------------------------------------------------------------------------
    > Test Your IDS
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE
    > IMPACT.
    > Go to
    > to
    > learn more.
    > --------------------------------------------------------------------------

    David W. Goodrum
    Senior Systems Engineer
    NFR Security
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE
    Go to to learn more.

  • Next message: Ron Gula: "hubs and switches"

    Relevant Pages

    • Re: IDS and NMS
      ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    • Re: "false positive" inanity
      ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
    • Re: Secure Network Design (DMZ, LAN, etc)
      ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the network as well (web ... >Since the whole world will need access to your web servers, ...
    • Re: Need some information on HIDS!
      ... I have already invoked such a scenario in some of my previous IDS ... What I had in mind is something like encrypting the whole ... network traffic, to prevent sniffing from intruders (let's say wall-to-wall ... analysing and displaying logs. ...
    • Re: which attacks will generate false positive or false negative?
      ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...