RE: best ids placement?

From: Brian Laing <brian.laing(at)blade-software.com>
Date: Mon Jun 30 2003 - 13:42:09 EDT

You can take a look at a document I wrote at http://www.snort.org/docs/ it covers placing an IDS into a swtiched environment and covers a good poriton of the pros/cons it¡¯s a little outdated as I wrote it about 3 years ago or more.

With what you are looking at I would not recommend a hub in that possision you are talking about because of the collisions issues, this is magnified if the router to switch connection is full duplex. If your switch supports it you can span the port that goes to the router but you may overload the port, plus spaning packets is low priority in the switch so even if the port is overloaded the swtich may not span all packets. The only thing I have seen that will garuntee or atleast get you as much as can be garunteed is taps with the legs form the taps being fed into a toplayer or similar type of switch. If the load is low enough you can take the two legs from a tap and send them to a hub. You will run into collision issues but it will impact the ids where as the hub placement you have no will impact the network.

I hope that makes sense if not drop me a private email.

Cheers,
Brian

---

Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650.367.9376
eFax: +1 650.249.3443
Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com

---

-----Original Message-----
From: SB CH [mailto:chulmin2@hotmail.com] Sent: Thursday, June 26, 2003 5:29 PM
To: focus-ids@securityfocus.com
Subject: best ids placement?

Hello, all.

I have read this document, subject is "Using Snort For a Distributed Intrusion Detection System" at
http://www.sans.org/rr/paper.php?id=352

according to this document, the proper placement say like this

The first example of the remote sensor placement is if you have a high-speed connection
to the Internet. You will want to monitor traffic coming from and going to that connection. The
best way to achieve this would be to place a hub between the border router and your firewall.

                                                 ~~~~~~~~~ dummy hub

placement between router and firewall or main switch like this?

                  router 
                     |
IDS ---------HUB 
                     |
                  Switch 

but another document say like this.
due to the limitation of shared media, this cannont be used if the connection between the switch and router is a full-duplex connection, as collisions will degrade the throughput.
and due to the limitation of shared media, it will increase the number of collisions impaction the flow of traffic between the router and switch.

What's the true and how did you set ids placement and what is the best? using taps? or span port? or hub?  

Thjanks for your opinions.

---

È®ÀÎÇÏÀÚ. ¿À´ÃÀÇ ¿î¼¼ ¹«·á »çÁÖ, ±ÃÇÕ, ÀÛ¸í, Àü»ý °¡À̵å http://www.msn.co.kr/fortune/default.asp

---

---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 

"underground" security specialists.  See for yourself what the buzz is


about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 

"underground" security specialists.  See for yourself what the buzz is about!  


Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Received on Wed Jul 2 10:31:39 2003