Re: Avoiding VLAN bridge with N-IDS?

[ADT <synfinatic () gmail com>]

On Mon, 09 Aug 2004 19:31:54 +0000, Chris Conacher
<chris_conacher () hotmail com> wrote:
> My understanding is that the deployment of N-IDS in a VLANd environment
> where the switch is spanned to enable a single N-IDS to sniff all VLAN
> traffic creates the risk that the IDS sensor can form a bridge to where
> someone can compromise the N-IDS machine and then use that to sniff all
> traffic or else move from VLAN to VLAN.
>
> Is there information on deploying N-IDS in switched and VLANd environments
> that do not require one N-IDS per VLAN and avoid the above risk if it does
> exist?

Generally speaking, NIDS are deployed with a dedicated management
interface so that the sniffing interface does not have an IP address. 
While this still allows a NIDS to be attacked, it makes gaining access
to the NIDS much more difficult.  Even better, put a restrictive
inbound and outbound firewall policy for the NIDS.

Of course, if the attacker gets through your defenses, nothing
prevents them from sniffing all the traffic.  However, using a network
tap would prevent them from injecting packets back into the network,
assuming your IDS doesn't use some lame attempt to reset malicous
connections.

-Aaron

-- 
http://synfin.net/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------