Snort mailing list archives
Re: IDS Design Help
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Mon, 9 Feb 2004 07:05:00 -0800 (PST)
Jake, Here are my ideas on your questions: 1. Forget the Intrusion.com product. While the bandwidth you describe (T-1, then 10 Mbps later) aren't a problem for the single-output Intrusion Ethernet tap, it won't scale at higher loads. Single-output taps combining two transmit (TX) lines (from the "Internet" and "LAN" in your diagram) can theoretically exceed 100 Mbps, potentially pushing 200 Mbps. If you want a single-output tap which combines the two TX lines, look at NetOptic's port aggregator tap. Each TX line has RAM to buffer packets in the event the total bandwidth to the single-output exceeds 100 Mbps. The Intrusion.com product just drops packets. (NetOptics will too, if the traffic "burst" exceeds the buffer over a prolonged period .) An alternative to single-output taps are dual-output taps. You can recombine the two TX lines using FreeBSD's netgraph implementation (http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2004-01/0084.html) or using channel bonding in Linux. 2. I recommend putting the IDS management NICs in a separate DMZ off the firewall, and implementing access control to the management NIC on the sensors themselves and on the firewall. This really depends on your assessment of the threat, however. Keep in mind if you put the management interfaces on your internal LAN, a compromise of your sensors could yield internal LAN access. I've never heard of this although exploits for old versions of Snort, Ethereal, and Tcpdump which attack promiscuous listeners do exist. 3 and 4. Try Sguil (sguil.sf.net). Alerts from both sensors can be made available in a single interface, making for easy comparison. I will be writing a new Sguil install doc incorporating the latest Sguil version, Snort 2.1.1, and hopefully MySQL 4.x once I finish my book draft. Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS Design Help Jake Rog (Feb 08)
- <Possible follow-ups>
- Re: IDS Design Help Richard Bejtlich (Feb 09)
- RE: IDS Design Help hugh_fraser (Feb 09)