IDS mailing list archives
RE: IDS on VPN-GW
From: counter.spy () gmx de
Date: Wed, 4 Dec 2002 15:21:31 +0100 (MET)
How well did Snort keep up, however?
Well, this was a very basic experiment sort of a proof of concept test - in order to see if sniffing on the virtual vpn-interface is possible. An example: there are side-effects with the vpn-driver if you install a winpcap driver on an NT-based vpn-gateway that cause malfunction of the gw. These problems do not occur on linux systems. In my tests I simply sent a packet from the client thru the tunnel to another vpn-machine behind the gw (gw-gw-coupling). The packet was crafted in such a way that it should trigger an alert. Snort properly detected all of my fake attacks that went thru the tunnel. I did not perform any benchmarks (regarding packet dropping statistics and impact on encryption-performance). My IDS-tests are none of my current official tasks but I do them nevertheless, because attack-detection in IPSec environments will become a task in the future. Out of that reason I posted this question to the list. I really think that the idea of another poster is much better than sniffing directly on the gateway: bridging or mirroring (how do you call it on a server?) all plaintext ip-traffic to a dedicated machine via a dedicated interface in a trusted segment. BTW: Does any drivers exist on NT or W2K for mirroring or bridging data to another NIC? This approach scales much better when using several loadbalanced vpn-gw's. E.g. traffic can be merged on a toplayer and flows can then be distributed to several IDSs. Another advantage would be that the vpn-gw is not loaded with the attack-detection itself for sake of performance. If you learn anything new in that field or if you perform further tests on your own I would be very grateful if you'd let me know the results. Thanks and kind regards, Detmar -----original message-----
How well did Snort keep up, however? I can't believe it wasn't missing packets at that point...-----Original Message----- From: Keith T. Morgan [mailto:keith.morgan () terradon com] Sent: Monday, December 02, 2002 10:05 AM To: counter.spy () gmx de Cc: focus-ids () securityfocus com Subject: RE: IDS on VPN-GW We've deployed this scenario on Linux + Free S/Wan running snort on all physical interfaces and all ipsecX interfaces for folks. The fastest wire-speed we've had on one of these deployments is T1, and a PIII450 has handled VPN traffic at wirespeed even with the added load of snort. Sorry I don't have any higher-bandwidth benchmarks for you. -----Original Message----- From: counter.spy () gmx de [mailto:counter.spy () gmx de] Sent: Friday, November 29, 2002 4:20 AM To: focus-ids () securityfocus com Subject: IDS on VPN-GWHi folks, I have recently tested snort on a vpn-gateway that runs on linux (just for testing purposes, no productive server).
... -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
Current thread:
- Re: IDS on VPN-GW Mike Lyman (Dec 01)
- <Possible follow-ups>
- RE: IDS on VPN-GW Keith T. Morgan (Dec 02)
- RE: IDS on VPN-GW Rob Shein (Dec 03)
- RE: IDS on VPN-GW counter . spy (Dec 04)
- RE: IDS on VPN-GW Mike Lyman (Dec 05)
- RE: IDS on VPN-GW Keith T. Morgan (Dec 05)