Re: Avoiding VLAN bridge with N-IDS?

• Previous message: Carey, Steve T GARRISON: "RE: Definition of Zero Day Protection"
• In reply to: Chris Conacher: "Avoiding VLAN bridge with N-IDS?"
• Next in thread: ADT: "Re: Avoiding VLAN bridge with N-IDS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Aug 2004 17:05:27 -0300
To: focus-ids@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Aug 09, 2004 at 07:31:54PM +0000, Chris Conacher wrote:
> My understanding is that the deployment of N-IDS in a VLANd environment
> where the switch is spanned to enable a single N-IDS to sniff all VLAN
> traffic creates the risk that the IDS sensor can form a bridge to where
> someone can compromise the N-IDS machine and then use that to sniff all
> traffic or else move from VLAN to VLAN.
>
> Is there information on deploying N-IDS in switched and VLANd environments
> that do not require one N-IDS per VLAN and avoid the above risk if it does
> exist?

My suggestion would be use a "listen only" ethernet cable connection
the N-IDS to the Switch, supposing that your network is ethernet based.

[]s

- --
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBF9kHpdyWzQ5b5ckRAm4xAJ0eG4anI+0jb5V1sjfjXjxiZe2Q7gCfSxkj
EvTFXQjvP9ao+EGJyg6V7JI=
=Raqt
-----END PGP SIGNATURE-----

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: Carey, Steve T GARRISON: "RE: Definition of Zero Day Protection"
• In reply to: Chris Conacher: "Avoiding VLAN bridge with N-IDS?"
• Next in thread: ADT: "Re: Avoiding VLAN bridge with N-IDS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Avoiding VLAN bridge with N-IDS? ... My understanding is that the deployment of N-IDS in a VLANd environment ... where the switch is spanned to enable a single N-IDS to sniff all VLAN ... (Focus-IDS) Re: Avoiding VLAN bridge with N-IDS? ... > My understanding is that the deployment of N-IDS in a VLANd environment ... > where the switch is spanned to enable a single N-IDS to sniff all VLAN ... At NFR we have a custom jail that the sniffing engine is placed into. ... (Focus-IDS) Re: Avoiding VLAN bridge with N-IDS? ... > My understanding is that the deployment of N-IDS in a VLANd environment ... > where the switch is spanned to enable a single N-IDS to sniff all VLAN ... While this still allows a NIDS to be attacked, ... assuming your IDS doesn't use some lame attempt to reset malicous ... (Focus-IDS)