Re: Avoiding VLAN bridge with N-IDS?

[Mike Frantzen <frantzen () nfr com>]

> My understanding is that the deployment of N-IDS in a VLANd environment 
> where the switch is spanned to enable a single N-IDS to sniff all VLAN 
> traffic creates the risk that the IDS sensor can form a bridge to where 
> someone can compromise the N-IDS machine and then use that to sniff all 
> traffic or else move from VLAN to VLAN.
> Is there information on deploying N-IDS in switched and VLANd environments 
> that do not require one N-IDS per VLAN and avoid the above risk if it does 
> exist?

At NFR we have a custom jail that the sniffing engine is placed into.
Before it starts monitoring network traffic it enters the jail, chroots,
and drops all privileges.  Among other things, the jail prevents the
sniffing engine from sending any packets that aren't TCP resets and
totally detaches the engine from the management interfaces.  When I
wrote the jail, I was terrified by people who have a sniffing interface
outside the firewall and a management interface inside the firewall.

Really good question by the way!

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------