|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: IDS deployment outside FW?
From: Dr Bit Bucket (drbitbucket
comcast.net)
Date: Mon Aug 09 2004 - 19:54:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Chris,
If all possible, your IDS sensors should never be active on the
network that they are monitoring (unless you're doing some sort of
active response, such as with an IPS solution). Have the management
interface on a private network exclusive to security functions and
not assign an IP address to the monitored interface(s). By not
having the management interface on this non-routable network, you
mitigate the issues with dual-homed hosts. If you use passive
network taps, that's even better. 100TX taps are $355 a pop these
days (netoptics, with send/receive split into two RJ-45 interfaces.
Under Linux use channel bonding to recombine the traffic into a
virtual interface and direct the IDS to that interface), while 1000SX
taps are $550 each (the receiving NICs are equally expensive for
fiber and a quad 100TX card runs about $400). Pretty cheap and far
better than spanning ports (in terms of packet drops during peak
volume).
To deal with the extra noise, the main focus of a sensor out there is
to monitor attacks against your perimeter devices. You should be
able to craft the monitoring rules to focus on those devices. If
there are other benefits to monitoring in that location, I'd like to
hear from others on the list.
Jon Repaci
GCIA, CISSP
At 7:33 PM +0000 8/9/04, Chris Conacher wrote:
>Dear List
>
>I have moved into an organization that has two RealSecure Network
>Sensors and a network architecture that is VLANd/DMZd to where
>localized deployment to capture traffic would require 8 to 12
>sensors to avoid bridging loops.
>
>The cheapest/simplest option (without deploying SNORT/Prelude, etc -
>the organization wants to remain on a single application
>architecture where possible) is to place the two sensors outside of
>the firewall.
>
>I understand that this means:
>The sensors will be in hostile territory and need to be maintained
>to a very high degree
>There will be an operations overhead of dealing with all of the
>noise that would normally be filtered by a firewall
>
>Does anyone have experience of doing this?
>Are there any other issues that I have not considered?
>
>Chris
>
>_________________________________________________________________
>It's fast, it's easy and it's free. Get MSN Messenger today!
>http://www.msn.co.uk/messenger
>
>
>--------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from CORE
>IMPACT.
>Go to
>http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]