Security Basics mailing list archives
Re: Snort Help - Network IDS
From: "Brian Whitehead" <brian () whiteheadconsulting com>
Date: Wed, 14 Apr 2004 20:02:27 -0500 (CDT)
Recently I posted a question on different types of monitoring and ids setups. I have decided to go with snort and have been using it on a smaller network with no problem. However now, I need to move it to a production network which will consist of around a 100 servers all linked through 3com switches and going out through a watchgaurd firewall. I'm looking for different ways to implement this without setting up another single point of failure device which our firewall is. I'm not confident enough yet to risk something like that. I haven't found much information on packet sniffing when it comes to multiple entry points, found some info on wiretap, etc. but I've always received such great help on here I thought I would ask before I decided on something. Would really appreciate any help, I'm in a heck of a bind right now. Thanks. firewall | -3comswitch-servers -3comswitch-servers -3comswitch-servers ids? Jason Haith
Jason, If you don't a single point of failure, such as using it inline between the firewall and switch, then you will need to setup port monitoring on your switches. Some switches cannot do this across stacked switches, so check the documentation on your switches. Also, if you are using multiple VLAN's you will not be able to use a single box, unless it has multiple NIC's to monitor more than one VLAN. Basically, the Snort box will be connected directly to one of the switches and the switch will be configured to mirror all traffic to the port that it's plugged into. Usually this can be configured to monitor either ingress, egress or traffic both ways. One thing to note is that the port that the NIDS is connected to cannot talk on the network. It can only listen. So, you will either need to access it physically at the console or put an additional NIC in the box to access it remotely. Again, with the stacked switches this will depend on the capabilities of the switch. Some can be managed and actually know that the ports on the other switches exist, while others will simple know that the MAC address for several machines exist through a single port. In the latter case, you should still be able to monitor all of the traffic in and out of the single port, but you won't be able to monitor traffic destined for the same switch if it's not directly connected. Just make sure that wherever you connect the NIDS that it can see all of the machines whose traffic you want to monitor. I'm sure you might be able to do some confounded setup like mirroring all traffic on each switch to a single port and then connect that port to the next switch. This would mean you would have two connections between each port. One that is simply mirroring the traffic and the other that is the actual uplink. I'm not sure this kind of setup would be a good idea though. You could also put multiple NIC's in the box and connect one to each switch. The one downfall I can see to this is that you will see some traffic more than once as it heads through the switches to get in and out of the firewall. Hope this helps. Sorry if I confuse you. The new Snort 2.1 book is due out this month if you need a good reference. http://www.syngress.com/catalog/sg_main.cfm?pid=2950 ---------- |firewall| ---------- | ---------- -------- |switch |====|IDSBOX| ---------- -------- | ---------- |switch | ---------- | ---------- | switch | ---------- -- Brian W --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Snort Help - Network IDS Jason Haith (Apr 14)
- Re: Snort Help - Network IDS Brian Whitehead (Apr 15)
- Re: Snort Help - Network IDS Matt Mercer (Apr 15)
- RE: Snort Help - Network IDS David Gillett (Apr 15)
- <Possible follow-ups>
- RE: Snort Help - Network IDS Meidinger Chris (Apr 15)
- RE: Snort Help - Network IDS DeGennaro, Gregory (Apr 16)