Vulnerability Development mailing list archives

RE: Firewall and IDS, (the second way).

From: PJD () portcullis-security com
Date: Tue, 19 Mar 2002 12:19:43 -0000

If you want your sensor to be non-invasive and undetectable, it's highly
suggested that you use a special device, like the Shomiti (now Finisar)
Century TAP:

PROS: full duplex support, fault tolerant, non-invasive network
monitoring, undetectable, useful for switched environments (there's no
longer need for a span port).

CONS: it's expensive for small environments.

Then you also have to consider the so called Stealth mode, which is more
typical of a hubbed (perhaps smaller) environments, where no IP address is
assigned to the interface, this makes it non addressable but still available
for promiscious mode hence IDS. In this mode the device should not respond
to probing such as crafted multicast packets, and as its interface is not
defined it would also not know its nameserver addresses so not attempt DNS
queries.

Current thread:

Firewall and IDS, (the second way). sekure (Mar 15)
- Re: Firewall and IDS, (the second way). Zow (Mar 15)
  - RE: Firewall and IDS, (the second way). Benjamin P. Grubin (Mar 16)
  - Re: Firewall and IDS, (the second way). Bryan Burns (Mar 16)
  - RE: Firewall and IDS, (the second way). Dom De Vitto (Mar 16)
- Re: Firewall and IDS, (the second way). Michel Arboi (Mar 16)
- Re: Firewall and IDS, (the second way). Timothy J. Miller (Mar 19)
  - Re: Firewall and IDS, (the second way). Anthony Stevens (Mar 20)
- <Possible follow-ups>
- Re: Firewall and IDS, (the second way). Marco Ivaldi (Mar 18)
- RE: Firewall and IDS, (the second way). PJD (Mar 19)
  - Re: Firewall and IDS, (the second way). Zow (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 19)
  - RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 20)
  - RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)