[Snort-users] Re: IDS Design Help

Richard Bejtlich richard_bejtlich at ...131...
Mon Feb 9 07:06:01 EST 2004


Here are my ideas on your questions:

1.  Forget the Intrusion.com product.  While the
bandwidth you describe (T-1, then 10 Mbps later)
aren't a problem for the single-output Intrusion
Ethernet tap, it won't scale at higher loads. 
Single-output taps combining two transmit (TX) lines
(from the "Internet" and "LAN" in your diagram) can
theoretically exceed 100 Mbps, potentially pushing 200
Mbps.  If you want a single-output tap which combines
the two TX lines, look at NetOptic's port aggregator
tap.  Each TX line has RAM to buffer packets in the
event the total bandwidth to the single-output exceeds
100 Mbps.  The Intrusion.com product just drops
packets.  (NetOptics will too, if the traffic "burst"
exceeds the buffer over a prolonged period .)

An alternative to single-output taps are dual-output
taps.  You can recombine the two TX lines using
FreeBSD's netgraph implementation
or using channel bonding in Linux.

2.  I recommend putting the IDS management NICs in a
separate DMZ off the firewall, and implementing access
control to the management NIC on the sensors
themselves and on the firewall.  This really depends
on your assessment of the threat, however.  Keep in
mind if you put the management interfaces on your
internal LAN, a compromise of your sensors could yield
internal LAN access.  I've never heard of this
although exploits for old versions of Snort, Ethereal,
and Tcpdump which attack promiscuous listeners do

3 and 4.  Try Sguil (sguil.sf.net).  Alerts from both
sensors can be made available in a single interface,
making for easy comparison.  I will be writing a new
Sguil install doc incorporating the latest Sguil
version, Snort 2.1.1, and hopefully MySQL 4.x once I
finish my book draft.


Richard Bejtlich

Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.

More information about the Snort-users mailing list