Intrusion Detection System (IDS)

Posted on 2004-08-13
Medium Priority
Last Modified: 2010-04-11
Hi experts,

I have been doing some research on security.
According to what I found the following can be setup.

             |            |
           IDS         DMZ

They suggest the IDS to be a system listening in promiscuous mode, having no IP so it cannot be reached or detected.

How is this achieved? The way I understand it, to be able to see traffic it should be connected to a hub/switch, hence having a cable and NIC which will have an IP.
But the diagram doesn't show any switch or device where the IDS is connected to.

Can anyone bring some light over this matter please?

Thanks in advanced,
Question by:techfreelance
  • 5
  • 3
  • 2
  • +2
LVL 22

Expert Comment

ID: 11798984
If you are trying to set up an intrusion detection system, it can be configured to run on your firewall if your firewall is a LInux/BSD based system using IDS software such as SNORT:


There are also commercial applications out there.

At the very basic level, you can put an ethernet card into 'promiscuous' mode so that it listens to every packet on the 'segment' of the net that it is on. On a linux system, the command you need is tcpdump:


This provides a raw dump of the data that can be filtered/manipulated as required depending on the aspect of interest.

A windows version of this also exists called windump:


IDS running on the system that might be attacked can normally be more easy to configure, and is better integrated into the OS concerned. Software such as zone alarm, and the various integrated security suites spring to ming for Windows, and snort for linux.

IDS relating to detecting penetration can only be accurately run on the system deemed to be the target. Software such as tripwire:


Creates a hash of directories and files to be protected. If the files are compromised, then the hash will not match and an alarm is produced. Obviously the obove diagram soe s not help for thissituation.

Remember that tcpdump and it's equivalents can be dangerous in the wrong hands. They can sniff out root passwords from the ethernet traffic on the network segment concerned, or even hijack communications between other PCs/Servers. However, the 'promiscuous' ethernet card will always have an identity....this will be a MAC address, and an IP address if the card is enabled (OK, I'm sure that someone could create one without these, but all commercial cards do). Note that the MAC address (unique identifier for the devide from the manufacturer can be faked on many cards). However, the card can appear to be invisible because it is firewalled/configured not to respond to anything.

LVL 51

Expert Comment

ID: 11799068
the docs are right: your IDS is plugged into a hub right before your firewall, and it doesn't need an IP 'cause it only listens to what's going on
Keep in mind that it's a hub, if you use a switch you need to plug your IDS in to the monitor port (which needs to monitor *all* other ports at once)

I slightly disagree with pjedmond, I'd not install the IDS on the firewall (except you plan to use an IDS/IPS).
If you really want to spend money and time for looking what happens, then there should be an IDS before, and one after the firewall, and probably a 3'rd one in your LAN. All these IDS connected via a admin-LAN to monitor them and compare results.
LVL 23

Expert Comment

by:Tim Holman
ID: 11800782
IDS are layer 2 devices, so don't need IP addresses.  However, they do need to see all the packets that need looking at, so need to be connected to a SPAN port or hub or network tap in order to see what's going on.
Think of it as just plugging a hub or switch into your network.  They don't need IP addresses for the same reason as IDS devices don't.  :)

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 22

Expert Comment

ID: 11801449
Sorry - ahoffmann - I'm a cheapskate, and don't like spending money....you're absolutely right - ideally a firewall should be just that - the more stuff you add to it the more chance of it being breached!

Having said that many commercial products stick the IDS on the firewall - in order to add perceived value?


Author Comment

ID: 11801580
tim holman>> IDS are layer 2 devices, so don't need IP addresses.

So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a NIC (with no IP???)?


LVL 22

Expert Comment

ID: 11801620
The dedicated ones are specialist hardware devices that you just plug into a network. The ones I've seen actually then connect to a PC via a serial port for further analysis. However the PC was configured with a Rocket Port (32 serial ports card)...and could connect to 32 of these things.  Alternatively, you can use a PC with the software running on it. If it's the PC version, then ethernet cards just happen to come with MAC addresses and get allocated an ip address in order to work.
LVL 79

Expert Comment

ID: 11802919
IDS's need 2 interfaces. One that is promiscous and does not have an IP address, and another interface for the management/monitoring software to be able to address the device. Else, how can you see the alerts/alarms? Think Snort/ACID, Cisco IDS, and several others..

My opinion, for what it's worth:
It is a given fact that every nut job on the planet is knocking on your front door. What good is an IDS sitting in front of your firewall? All you're doing is confirming that fact and you get so many positives that you can't possibly get meaningful information. Unless your IDS and router work hand-in-hand to automatically adjust the inbound access-list restrictions to put temporary blocks on those networks that are the source of the alarms, it does not do much good.
My preference is to place the IDS on the INSIDE of my firewall. Your firewall's job is to automatically block all those bad guys anyway, but I want to know what's going on INSIDE my network. The IDS can pickup worm/virus behavior, as well as possible intruders that get through the firewall. THIS is much more meaningful information.
Of course, the ideal situation would be to have both inside and outside with the screening router, IDS's and firewall all working as a single team...
LVL 23

Accepted Solution

Tim Holman earned 2000 total points
ID: 11803585

Also, remember IDS is only ever any good for forensics.  To use it as a live detection-blocking solution and answer-to-everything-that-firewalls-cannot-do is the wrong way to go.

>So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a >NIC (with no IP???)?

Either.  PCs can run their network adaptors in a special L2 mode called 'promiscuous mode'.  They will just soak up all the traffic silently and analyse.

To get you started, why not download the Windows version of Snort from www.snort.org.  This requires an additional driver to get things working, called WinPCap, which is a generic L2 capturing driver which fits over most network cards, and will give you an idea of what IDS is and how it works, all for free.

You will also see the HUGE amount of data IDS systems will generate.  They need a hell of a lot of tuning to reduce false positives, plus 24x7 event management to be effective.  If it's just you as a network administrator in the company, then you simply will not have time to sift through everything.  In this situation, you would look at an IPS (Intrusion Prevention System), which will actively block attacks without you having to 24x7 manage the thing.  Take a look at www.toplayer.com, for example...  ;)

IDS has it's uses - but don't go spending too much on it, or focus on this without looking at your holistic security solution - which should include firewalling, IPS, anti-virus, patch management, network IDS, host IDS, security event management etc etc.

Also look at what Gartner have to say - basically, IDS is Dead, long live IPS...


LVL 51

Expert Comment

ID: 11804895
hmm, all comments repeating mine http:#11799068
Think we got it all now ;-))
LVL 22

Expert Comment

ID: 11805093
...of which many were repeating mine ;)
LVL 51

Expert Comment

ID: 11805124
>  .. ethernet card will always have an identity....this will be a MAC address, and an IP address
pjedmond, this is wrong :-|
LVL 22

Expert Comment

ID: 11805165
..oh - OK then - Commercial cards always have a MAC address even if they don't exibit it to the outside world, and IP addresses if they are actively being used to communicate on an IP based communications system....and yes I know it's possible to erase or alter that identity. I know that I might be simplifying things a little, and I also accept that my experience may not be as broad as yours.

I also appreciate that cards as part of the DHCP and other protocols broadcast requests for being given an identity, but they still identify themselves using the MAC address as far as I'm aware. If I'm still missing something in the above, I obviously need to learn (me AT cb DOT ws)

Many thanks:)

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question