Security Basics: Inline IDS

Inline IDS

From: Daniel Hood <dsmhood () gmail com>
Date: Mon, 23 Feb 2009 22:31:37 +1100

It seems I have decided on building an inline IDS. One of the ones
with an Ethernet tap. I just had two questions.

When people normally build ethernet taps (with all the soldering and
such), what do they normally use? Is there a certain brand/model of
hub, or do they buy a 4-port patch panel? By ethernet tap I mean one
of those things, that looks like a 4-port patch panel, thats wired so
that the IDS can pick up traffic passively and without impeding
performance or creating a single point of failure.

Also, I'm going to be most likely using either FreeBSD + Snort + Base
or Debian + Snort + Base, do I just need hogwash and/or snort_inline
as well or some other setups/config changes? Are there any changes to
the ethernet adapters set up (or just leave them with no IP addresses
but up?)


Thanks guys,
Daniel

By Date By Thread

Current thread:

Inline IDS Daniel Hood (Feb 24)
- Re: Inline IDS Matthew Topper (Feb 25)
- Re: Inline IDS DHEERAJ RAI (Feb 25)
- <Possible follow-ups>
- Re: Inline IDS Noah . Lance (Feb 25)
  - Re: Inline IDS Daniel Hood (Feb 26)