RE: best ids placement?

["Rob Shein" <shoten () starpower net>]

Actually, this isn't accurate.  Just because an IDS doesn't have a two-way
connection on the wire doesn't mean that it cannot be compromised by traffic
it monitors.  For example, let's say you had box running an older version of
snort or tcpdump, with one of the vulnerabilities that were found, hooked up
to a wire via a tap.  You could theoretically root that box, even if it had
no other network connectivity besides that tap.  But realistically speaking,
an IDS is going to typically have connectivity via another route; otherwise
how can you do IP block lookups, googling, etc. to determine more about
attacks?    Furthermore, besides rooting, what if the attacker merely wanted
to knock the IDS offline for a bit...then it becomes a lot more feasible and
realistic as an attack.  So remember; taps are NOT guarantee against attacks
aimed at an IDS.  They make the IDS invisible, but it doesn't cost much to
squirt a few generic snort/tcpdump/whatever else attacks onto the wire just
in case.

> -----Original Message-----
> From: Simon Adlem [mailto:sadlem () fotango com] 
> Sent: Wednesday, August 13, 2003 8:36 AM
> To: focus-ids () securityfocus com
> Subject: Re: best ids placement?
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Monday 30 Jun 2003 6:42 pm, Brian Laing may quite possibly 
> have written:
>
>
> Hi,
>
>
> Another approach is to use EtherTaps connected to a machine 
> that has no 
> physical connection to the internal network other than the 
> passive connection 
> via the taps. That way, no-one can detect or compromise your 
> IDS as it is not 
> connected to anything other than the taps.
>
> We use EtherTaps here with good success.
>
> Simon
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE/OjCVAEPeBJNaHh0RAktqAJ9PSywtkb3o/qcy5mZjcr+yypnpWACfWJKC
> VdTw48MrBPIMlDjsnvOqXtM=
> =Ym0l
> -----END PGP SIGNATURE-----
>
>
> --------------------------------------------------------------
> -------------
> Captus Networks - Integrated Intrusion Prevention and Traffic 
> Shaping  
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Ensure Reliable Performance of Mission Critical 
> Applications Precisely Define and Implement Network Security 
> and Performance Policies **FREE Vulnerability Assessment 
> Toolkit - WhitePapers - Live Demo Visit us at: 
> http://www.captusnetworks.com/ads/31.htm
>
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------