IDS mailing list archives
RE: best ids placement?
From: David Markle <davidmarkle () comcast net>
Date: Fri, 27 Jun 2003 16:04:44 -0400
Ultimately, the answer is ...... it depends. Hubs are cheap for small shops with low budgets and low bandwidth. Their reliability is fair if your operation does not hinge on availability (i.e. critical and 24x7). There are lower bandwidth limitations in hubs. Because they are broadcast based collisions have greater probability (obviously based on bandwidth). I use dumb hubs at home but would never use one at work (would get shot). Switches are faster and more reliable (in general) than hubs because 1. they (most of them) can be managed for health and welfare, 2. (some) generally have greater capacity (speed) in the backplane and 3. offer the ability to span the traffic from VLANs out 1 port (or more). I noticed you had a switch in your diagram, can you span from it ??? Finally, taps are a solid solution, but most if not all are passive and not managed (health and welfare). "unknown" outages happen. I think the "best IDS placement" conversation should focus on WHERE you place the IDS vs. how its connected. Select the "how its connected" based on availability needs, costs, what best fits in your network environment. I understand that the "Where its connected" is a religious based conversation, so I won' go there - unless someone wants to ... ;) I hope this helps. dm -----Original Message----- From: SB CH [mailto:chulmin2 () hotmail com] Sent: Thursday, June 26, 2003 8:29 PM To: focus-ids () securityfocus com Subject: best ids placement? Hello, all. I have read this document, subject is "Using Snort For a Distributed Intrusion Detection System" at http://www.sans.org/rr/paper.php?id=352 according to this document, the proper placement say like this The first example of the remote sensor placement is if you have a high-speed connection to the Internet. You will want to monitor traffic coming from and going to that connection. The best way to achieve this would be to place a hub between the border router and your firewall. ~~~~~~~~~ dummy hub placement between router and firewall or main switch like this? router | IDS ---------HUB | Switch but another document say like this. due to the limitation of shared media, this cannont be used if the connection between the switch and router is a full-duplex connection, as collisions will degrade the throughput. and due to the limitation of shared media, it will increase the number of collisions impaction the flow of traffic between the router and switch. What's the true and how did you set ids placement and what is the best? using taps? or span port? or hub? Thjanks for your opinions. _________________________________________________________________ 확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드 http://www.msn.co.kr/fortune/default.asp ---------------------------------------------------------------------------- --- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- best ids placement? SB CH (Jun 27)
- RE: best ids placement? David Markle (Jun 27)