-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 3 Oct 2001, Ian Macdonald wrote:

> Does anyone have words of wizdom about dealing with the database traffic? My
> thinking is to create IPSEC tunnels between the sensor and the central
> database.
>
> Any other ideas?

In the testing that we did for the recent NWC IDS article, we backhauled
all of the management/alert data from the sensors back to the console
network. This was implemented with a network-to-network IPSec VPN using
Cisco routers. For more info, see:

http://www.nwc.com/1217/1217f1.html
http://img.cmpnet.com/nc/1217/graphics/1217f1.gif

Now then, setting up IPSec VPNs is probably going to be overkill for the
application in question. And since we're in the Linux/open-source realm
here, we're also talking FreeS/WAN, which has a pretty steep learning
curve of its own.

[Speaking of overkill, I think the original poster is going to find the
idea of deploying three separate sensors a bit overwhelming. I would
suggest starting out with one until you get the hang of things and work
through the inevitable tuning issues you'll face with any deployment.]

But.. back to the question at hand, if you're worried about the
confidentiality and/or tampering of alert data in between the sensor(s)
and console, I'd look at a light(er)-weight tunneling solution, such as:

- - stunnel (http://www.stunnel.org/)
- - vtun (http://vtun.sourceforge.net/)

Both should work fine for tunneling the sensor->console MySQL data, and
they're easy to setup to boot.

        -- Patrick

- -------------------------------------------------------------------------
Patrick Mueller -- Security Analyst -- <pmuellerneohapsis.com>
                  Neohapsis <www.neohapsis.com>

-----BEGIN PGP SIGNATURE-----
Comment: Key available at http://pgp.mit.edu

iD8DBQE7u/jfW5zvMHNPjVMRAuKqAKCoTQuhMR1LvIhMQa1AyhNGjaP0ugCdFOz5
9ID6BVLOSJVrqGBafaaWEyo=
=Wbu1
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]