| I'm new to the IDS world. I understand what an IDS does, and why you
| need it, but I have some questions on the technical aspect of IDS. We
| are planning on implementing an IDS in the near future. The idea that
| has been proposed is to put the IDS in the path between connections,
| rather than connected in promiscuous mode. The reason they want to do
| this is so they can also run a blocking software, like portsentry, to
| block unwanted scans, etc.

You can do this, and you can do it transparently too :) I'm not 100% sure
how in Linux, but using something like OpenBSD you can happily install it to
work in bridging mode with some firewalling options, etc. And run Snort or
something like that on the top.

A couple of points you might want to bear in mind though. It might be worth
thinking about how many interfaces this is going to have and how much
traffic goes between them all. If it is doing the job of a switch or router
then remember that it is likely to be slower than dedicated
switching/routing hardware if you have high bandwidth usage.

And if it ever crashes or has network problems then you will loose
connectivity between the points that it bridges or routes. Where as if your
IDS sit's on the mirror-port of a switch you can reboot it to your hearts
content and it doesn't effect your network, you do of course loose the
ability to run firewalling, bandwidth limiting, etc on the same machine.

  Lee

-- 
Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]