RE: best ids placement?

[David Markle <davidmarkle () comcast net>]

Ultimately, the answer is ...... it depends.

Hubs are cheap for small shops with low budgets and low bandwidth.  Their
reliability is fair if your operation does not hinge on availability (i.e.
critical and 24x7).  There are lower bandwidth limitations in hubs.  Because
they are broadcast based collisions have greater probability (obviously
based on bandwidth).  I use dumb hubs at home but would never use one at
work (would get shot).

Switches are faster and more reliable (in general) than hubs because 1. they
(most of them) can be managed for health and welfare, 2. (some) generally
have greater capacity (speed) in the backplane and 3. offer the ability to
span the traffic from VLANs out 1 port (or more).  I noticed you had a
switch in your diagram, can you span from it ???

Finally, taps are a solid solution, but most if not all are passive and not
managed (health and welfare).  "unknown" outages happen.

I think the "best IDS placement" conversation should focus on WHERE you
place the IDS vs. how its connected.  Select the "how its connected" based
on availability needs, costs, what best fits in your network environment.  I
understand that the "Where its connected" is a religious based conversation,
so I won' go there - unless someone wants to ...  ;)

I hope this helps.

dm

-----Original Message-----
From: SB CH [mailto:chulmin2 () hotmail com]
Sent: Thursday, June 26, 2003 8:29 PM
To: focus-ids () securityfocus com
Subject: best ids placement?


Hello, all.

I have read this document, subject is "Using Snort For a Distributed
Intrusion Detection System" at
http://www.sans.org/rr/paper.php?id=352

according to this document, the proper placement say like this

The first example of the remote sensor placement is if you have a
high-speed connection
to the Internet. You will want to monitor traffic coming from and going to
that connection. The
best way to achieve this would be to place a hub between the border router
and your firewall.
                                                 ~~~~~~~~~
dummy hub placement between router and firewall or main switch like this?

                  router
                     |
IDS ---------HUB
                     |
                  Switch


but another document say like this.
due to the limitation of shared media, this cannont be used if the
connection between the switch and router is a full-duplex connection, as
collisions will degrade the throughput.
and due to the limitation of shared media, it will increase the number of
collisions impaction the flow of traffic between the router and switch.

What's the true and how did you set ids placement  and what is the best?
using taps? or span port? or hub?



Thjanks for your opinions.

_________________________________________________________________
확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드
http://www.msn.co.kr/fortune/default.asp


----------------------------------------------------------------------------
---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's
to
"underground" security specialists.  See for yourself what the buzz is
about!
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------