IDS mailing list archives
Re: IDS using Taps & network bridging
From: "nate" <focus-ids () aphroland org>
Date: Sun, 17 Nov 2002 23:39:50 -0800 (PST)
Hi,
1. Hub - full duplex issues - scrapped that idea! 2. Bridged network cards - sniffing the bridged interface has been problematic. It works but there seems to be an ARP DoS - any ideas on this would be great!
haven't tried it under linux, but works good under freebsd. ARP DOS I think shouldn't be an issue as long as the bridges are seperate. probably best to have 1 machine per bridge rather then multiple bridges on 1 machine(so it has seperate arp tables). I have encountered arp problems with misconfigured multihomed machines sending packets out the wrong interfaces and with external networks incorrectly sharing a hub causing major problems. Of course bridge has the additional advantage to being transparent, its wonderful being able to disconnect the bridge(e.g. kernel upgrade which requires downtime) and have only a few seconds downtime(enough to switch cables) without any network reconfiguration. Of course my networks are small enough and haven't really been attacked.
3. Multi port NIC that has software to aggregate. The only solution I've found for this only has drivers for Windows.
If you got the cash, a Znyx card will do the job. they have fully open source drivers for linux, binary drivers for freebsd(and many many other OSs), they have RainLINK, a custom software package to provide several things including aggregate I believe(though I have not used it myself). I have used their 4 port cards under FreeBSD, the 4 port cards run about $750. At least under freebsd, the Znyx cards(4 port at least) do not work with the default drivers(DEC), the system detects the card but a link with the switch didn't happen until I loaded the Znyx drivers. With 4 port cards and a good motherboard you could probably get 20 interfaces in 1 machine if you really wanted to. another option is those dedicated port mirroring switch like things (forgot their names), and no I don't mean a switch which has a port mirroring feature:)
I'm open to any suggestions but I'm really interested in the network bridging. What I've done so far is: -Install 3 NICs in my box -Bridged eth1 & eth2 to br0 -started up the bridge -sniffed br0
perhaps try freebsd? I love linux and use it nearly everywhere, but I've read that freebsd is really good at networking so I tested and deployed it in bridged mode about a year ago, and it works great, at the same time I can run ipfw for a firewall, traffic accounting, and traffic shaping at the same time. Your the first person I've read about that has tried linux's bridging feature. the only downside is I have read about bugs in the bridging code in freebsd in the past which caused kernel panics or something(or other serious problems, not sure how long ago it was), so I suppose its possible to crash the system which has the bridge, though I've never had this happen even in enviornments where arp was going crazy, and enviornments where my cisco 2500 routers were crippled by thousands of tiny UDP packets, the bridge never flinched(monitoring 2 T1 lines). my home network is a freebsd box with 4 NICs, 2 bridged, 1 management and 1 not being used. runs ipfw on fxp0(connected to dsl modem which is bridged as well), and snort on fxp1(connected to my switch), so that snort doesn't detect stuff thats dropped at the firewall. despite freebsd being a great firewall/bridge I'm not about to replace any of my debian machines with it anywhere else:) if you would like more detailled info on my setup drop me a line. good luck. nate
Current thread:
- IDS using Taps & network bridging oobs3c02 (Nov 17)
- RE: IDS using Taps & network bridging Bryan K. Watson (Nov 19)
- Re: IDS using Taps & network bridging nate (Nov 19)
- Re: IDS using Taps & network bridging Bennett Todd (Nov 27)
- <Possible follow-ups>
- RE: IDS using Taps & network bridging Douglas Hart (Nov 21)
- RE: IDS using Taps & network bridging Benninghoff, John (Nov 26)