Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: Re: Making stateful NIDS work in a completely switched network

Re: Making stateful NIDS work in a completely switched network

From: Derek Walker <derwalke_at_cisco.com>
Date: Mon, 14 May 2001 08:56:50 -0700 (PDT)

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner_at_uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
-----------------------------------------------------------------------------
Go for option 'B'. All are possibilities, but B seems the most practical
in my experience thus far.

D.

On Mon, 14 May 2001, Kohlenberg, Toby wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner_at_uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
> -----------------------------------------------------------------------------
> One of the arguments made against NIDS (usually it seems by vendors
> of competing technologies) is that the prevalence of switched networks
> has made deployment of NIDS expensive and less accurate. I don't think
> that's completely true but I can see some of the arguments.
> Having said that, given a network that is completely switched (no hubs
> used to handle traffic at any point), highly redundant (each server
> has at least two NICs feeding into two separate switches) and made primarily
> of VLANs (meaning physical proximity cannot be assured) I can see
> making signature-based NIDS work, I can even see making simple protocol
> analysis work, but I can't see a way to make stateful (connection-aware)
> monitoring work without either;
> a. tapping the entire network and feeding it into a single sensor
> b. dropping sensors at the ingress and egress points.
> c. putting taps on every network drop and feeding them in groups to a
> dedicated sensor.
>
> Any thoughts?
>
> Toby
>
> All opinions are my own and in no way reflect the views of my employer.
>
>
>
Received on May 14 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos