IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bridge IDS

From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Thu, 05 Aug 2004 11:35:56 -0400
Most IPS devices can be implemented in passive mode. The important thing here is that you probably need network availability, which is the beauty of using a network tap with an IDS. The good news is that many IPS devices come with sever closed (just like a network tap) or sever open interfaces, depending on your preference. You want sever closed, so that if the IPS goes down, your network will still be functional. Then, if you simply don't implement the blocking portion, and just leave it in detection mode, you've essentially got a bridging, highly available IDS. If you were to just use plain old NIC's like you are suggesting, then you would risk the possibility of taking down your network if the Sensor should fail. Of course, if you can't afford the cost of a $500 tap along with your free snort box, you probably can't afford the types of products that would include this bridging, sever closed technology either. I know that NFR's proprietary NIC's that perform this high availability function cost more than a $500 tap. But.... sometimes you get what you pay for. :) You might be better off watching ebay for a network tap for your IDS if price is the issue. Or, try using a $50 hub from bestbuy as your bridge, then just have your Snort IDS box sniff that. 

good luck,

dave

Lee Sheng wrote:


All,
Perhaps this is silly question, however I wanna know that if bridge firewall can be done, how about building a bridge IDS. I know there is snort-inline(consoder IPS) that we can use but what I mean is just snort without patching. Using three network interface, two for building a bridge and one for console. Can it be done? Tap is far too expensive for individual like me :) 

Any suggestion would be appreaciated! Thanks.


Regards,
Lee

_________________________________________________________________
Using a handphone prepaid card? Reload your credit online! http://www.msn.com.my/reloadredir/default.asp
-------------------------------------------------------------------------- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- 



--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: