Re: Bridge IDS

[Nick Black <dank () qemfd net>]

Lee Sheng assumed the extended riemann hypothesis and showed:
> Perhaps this is silly question, however I wanna know that if bridge 
> firewall can be done, how about building a bridge IDS. I know there is 
> snort-inline(consoder IPS) that we can use but what I mean is just snort 
> without patching. Using three network interface, two for building a bridge 
> and one for console. Can it be done? Tap is far too expensive for 

Our product functions as either a bridge or an end-node.  In bridging
capability, one can choose to do per-packet filtering (IPS mode) or not
(IDS mode).  The advantages of retaining IDS bridging capability is
twofold:

        a) initial configuration/demoing/evaluation can be done without
           worries that overzealous IPS settings will filter on false
           positives, and

        b) it guarantees that all traffic has been analyzed; if the IDS
           is overloaded, the packet doesn't get through the bridge.

In order to ensure our configuration/reporting is never filtered, we use
a third interface as the 'management interface', as you describe.  So,
I'm not sure whether snort-inline has this mode, but I know it can be
done :).

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."
free hearts, free foreheads -- you and i are old; old age hath yet his honour
and his toil; death closes all: but something ere the end, some work of noble
note, may yet be done, not unbecoming men that strove with gods.   (tennyson)

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------