Re: Question about Inline mode

["Albert E. Whale" <aewhale () ABS-CompTech com>]

Thanks, I completely left out the Management interface.  I still have
further questions, please see below.

On 12/4/2011 5:55 PM, NA wrote:
> On 12/4/11 12:48 PM, Albert E. Whale wrote:
> > I have been asked to develop an IDS/IPS solution which can span
> > multiple zones behind a firewall.
> >
> > While I have reservations in implementing a single box to become an
> > active sensor for IDS/IPS solutions on the networks.
> >
> >  In addition to believing that this is the wrong strategy to use in
> > protecting internal networks (I am supposed to protect 4 internal
> > networks), I am not certain of the correct configuration of the host
> > server.
> >
> > In an Inline mode, are the network interfaces linked?  What network
> > configuration is required for IDS/IPS or inline configuration?
> Inline mode is done via a DAQ module. Inline is supported by at least
> the NFQ and Afpacket DAQ modules. This is new to Snort as of the 2.9.x.x
> versions. You actually need 3 interfaces as traffic goes across, for
> example setting your sensor to detect across eth0:eth1 and the eth2 as
> the management interface.  
Thank you, I have found the following pages:

http://www.snort.org/snort-downloads/external-daq/
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html

Helpful as they were, I still have the following questions.

When using either NFQ or the DAQ modules, are the interfaces bonded
together?  I completely understand that the Management interface is
assigned an IP Address, a gateway and a network (subnet mask).

What happens to the two interfaces used in inline mode?  If I place the
sensor inline, are the interfaces numbered?  DO I need to fully provide
networking (routing) between the interfaces?
> > Does the inline mode require two interfaces?
> >
> > Can Snort support multiple networks, simultaneously?  Does this reduce
> > the throughput capability of the monitor?
> Multiple networks can be supported but of course band width is the
> consideration here along with the strength of the Snort sensor. There
> are better people on this list to answer than me but depending on the
> size/bandwidth considerations you may want to consider using 4 sensors
> that report to a main server for analysis. Like I said, others on this
> list can help there as I have no experience here. Search the Google
> Groups list too.
Four sensors and a Main Server is an exceptional idea.  Thank you for that.

> From reading the above sites listed, it would seem that afpacket is the
method to use for inline use.  Is there a consensus here?

> Hope this serves at least as a start to answer your questions.
> Bill
>
> snip


-- 

Albert E. Whale, CHS CISA CISSP
Senior Technology & Security Director
*ABS Computer Technology, Inc. *
412-635-7488 ext 100
aewhale () ABS-CompTech com <mailto:aewhale () ABS-CompTech com>
www.ABS-CompTech.com <http://www.ABS-CompTech.com>

Attachment: aewhale.vcf
Description:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!