Advice on the Network Infrastructure Side of IDS Design...

[Mike Ahern <mc_ahern () yahoo com>]

A company I am working with is interested in deploying
IDS throughout a globally distributed network, and may
be interested in updating, reconfiguring, and/or
replacing their network switches and similar hardware
at the same time, at least in some locations. 

What LAN infrastructure hardware have you found best
for monitoring key points on the network (points of
ingress/egress), multiple resources (critical systems,
wiring closet drops, etc.), in a highly switched
environment? Are there switches for example that have
the capability to copy data from selected ports to
multiple monitor ports, or to a single higher speed
port?? Any switches that have features that lend
themselves to effective IDS monitoring? In large
environments where you might have many hundreds of
users on a switch, what is the best way to get
visibility with systems like snort? Is there some
unique approach or network design that you have
benefitted from in implementing IDS in a larged
switched environment?

I am also concerned about using a traditional (single)
monitor port on some small switches, since the IDS
system could be pulled offline and the monitor port
reconfigured anytime a network engineer came along and
needed to use a network sniffer to track down some
problem - leaving the IDS units offline, and effective
management and logging somewhat klugey. Also in some
instances I have tested, I would need two interfaces
in the IDS system to do what I need to do (one for the
monitor port and one to send network telemetry back to
management systems).

I am really interested in what your experience and
recommendations are for this side of IDS network
planning - and to benefit from your insight and
firsthand experience selecting, implementing, and
working with these systems on an ongoing basis from an
IDS perspective.

I have also heard about active devices that allow
placement of IDS systems "receive only" with no
transmit capability back out of the system, and kind
of stealth the IDS on the net. Anybody used any of
these??

Your advice is appreciated! If you feel that your
answer is too long or too off-topic for this list,
just email me back directly.

Thanks!

 - Mike
   mc_ahern () yahoo com




__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users