Snort mailing list archives

Re: IDS Design Help

From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Mon, 9 Feb 2004 07:05:00 -0800 (PST)

Jake,

Here are my ideas on your questions:

1.  Forget the Intrusion.com product.  While the
bandwidth you describe (T-1, then 10 Mbps later)
aren't a problem for the single-output Intrusion
Ethernet tap, it won't scale at higher loads. 
Single-output taps combining two transmit (TX) lines
(from the "Internet" and "LAN" in your diagram) can
theoretically exceed 100 Mbps, potentially pushing 200
Mbps.  If you want a single-output tap which combines
the two TX lines, look at NetOptic's port aggregator
tap.  Each TX line has RAM to buffer packets in the
event the total bandwidth to the single-output exceeds
100 Mbps.  The Intrusion.com product just drops
packets.  (NetOptics will too, if the traffic "burst"
exceeds the buffer over a prolonged period .)

An alternative to single-output taps are dual-output
taps.  You can recombine the two TX lines using
FreeBSD's netgraph implementation
(http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2004-01/0084.html)
or using channel bonding in Linux.

2.  I recommend putting the IDS management NICs in a
separate DMZ off the firewall, and implementing access
control to the management NIC on the sensors
themselves and on the firewall.  This really depends
on your assessment of the threat, however.  Keep in
mind if you put the management interfaces on your
internal LAN, a compromise of your sensors could yield
internal LAN access.  I've never heard of this
although exploits for old versions of Snort, Ethereal,
and Tcpdump which attack promiscuous listeners do
exist.

3 and 4.  Try Sguil (sguil.sf.net).  Alerts from both
sensors can be made available in a single interface,
making for easy comparison.  I will be writing a new
Sguil install doc incorporating the latest Sguil
version, Snort 2.1.1, and hopefully MySQL 4.x once I
finish my book draft.

Sincerely,

Richard Bejtlich
http://www.taosecurity.com

__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IDS Design Help Jake Rog (Feb 08)
- <Possible follow-ups>
- Re: IDS Design Help Richard Bejtlich (Feb 09)
- RE: IDS Design Help hugh_fraser (Feb 09)