Re: IDS using Taps & network bridging

["nate" <focus-ids () aphroland org>]

> Hi,

> 1. Hub - full duplex issues - scrapped that idea!
> 2. Bridged network cards - sniffing the bridged interface has been
> problematic.  It works but there seems to be an ARP DoS - any ideas on
> this  would be great!

haven't tried it under linux, but works good under freebsd. ARP DOS
I think shouldn't be an issue as long as the bridges are seperate.
probably best to have 1 machine per bridge rather then multiple
bridges on 1 machine(so it has seperate arp tables). I have encountered
arp problems with misconfigured multihomed machines sending packets
out the wrong interfaces and with external networks incorrectly sharing
a hub causing major problems. Of course bridge has the additional
advantage to being transparent, its wonderful being able to
disconnect the bridge(e.g. kernel upgrade which requires downtime)
and have only a few seconds downtime(enough to switch cables) without
any network reconfiguration. Of course my networks are small enough
and haven't really been attacked.

> 3. Multi port NIC that has software to aggregate.  The only solution I've
> found  for this only has drivers for Windows.

If you got the cash, a Znyx card will do the job. they have fully
open source drivers for linux, binary drivers for freebsd(and many
many other OSs), they have RainLINK, a custom software package to
provide several things including aggregate I believe(though I have
not used it myself). I have used their 4 port cards under FreeBSD,
the 4 port cards run about $750. At least under freebsd, the Znyx
cards(4 port at least) do not work with the default drivers(DEC),
the system detects the card but a link with the switch didn't happen
until I loaded the Znyx drivers. With 4 port cards and a good
motherboard you could probably get 20 interfaces in 1 machine if
you really wanted to.

another option is those dedicated port mirroring switch like things
(forgot their names), and no I don't mean a switch which has a port
mirroring feature:)

> I'm open to any suggestions but I'm really interested in the network
> bridging.   What I've done so far is:
> -Install 3 NICs in my box
> -Bridged eth1 & eth2 to br0
> -started up the bridge
> -sniffed br0

perhaps try freebsd? I love linux and use it nearly everywhere, but
I've read that freebsd is really good at networking so I tested and
deployed it in bridged mode about a year ago, and it works great,
at the same time I can run ipfw for a firewall, traffic accounting,
and traffic shaping at the same time. Your the first person I've
read about that has tried linux's bridging feature. the only downside
is I have read about bugs in the bridging code in freebsd in the
past which caused kernel panics or something(or other serious
problems, not sure how long ago it was), so I suppose its possible
to crash the system which has the bridge, though I've never had this
happen even in enviornments where arp was going crazy, and enviornments
where my cisco 2500 routers were crippled by thousands of tiny UDP
packets, the bridge never flinched(monitoring 2 T1 lines).

my home network is a freebsd box with 4 NICs, 2 bridged, 1 management
and 1 not being used. runs ipfw on fxp0(connected to dsl modem which
is bridged as well), and snort on fxp1(connected to my switch), so
that snort doesn't detect stuff thats dropped at the firewall.

despite freebsd being a great firewall/bridge I'm not about to
replace any of my debian machines with it anywhere else:)

if you would like more detailled info on my setup drop me a line.

good luck.

nate