• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

Intrusion Detection System (IDS)

Hi experts,

I have been doing some research on security.
According to what I found the following can be setup.

             |            |
           IDS         DMZ

They suggest the IDS to be a system listening in promiscuous mode, having no IP so it cannot be reached or detected.

How is this achieved? The way I understand it, to be able to see traffic it should be connected to a hub/switch, hence having a cable and NIC which will have an IP.
But the diagram doesn't show any switch or device where the IDS is connected to.

Can anyone bring some light over this matter please?

Thanks in advanced,
  • 5
  • 3
  • 2
  • +2
1 Solution
If you are trying to set up an intrusion detection system, it can be configured to run on your firewall if your firewall is a LInux/BSD based system using IDS software such as SNORT:


There are also commercial applications out there.

At the very basic level, you can put an ethernet card into 'promiscuous' mode so that it listens to every packet on the 'segment' of the net that it is on. On a linux system, the command you need is tcpdump:


This provides a raw dump of the data that can be filtered/manipulated as required depending on the aspect of interest.

A windows version of this also exists called windump:


IDS running on the system that might be attacked can normally be more easy to configure, and is better integrated into the OS concerned. Software such as zone alarm, and the various integrated security suites spring to ming for Windows, and snort for linux.

IDS relating to detecting penetration can only be accurately run on the system deemed to be the target. Software such as tripwire:


Creates a hash of directories and files to be protected. If the files are compromised, then the hash will not match and an alarm is produced. Obviously the obove diagram soe s not help for thissituation.

Remember that tcpdump and it's equivalents can be dangerous in the wrong hands. They can sniff out root passwords from the ethernet traffic on the network segment concerned, or even hijack communications between other PCs/Servers. However, the 'promiscuous' ethernet card will always have an identity....this will be a MAC address, and an IP address if the card is enabled (OK, I'm sure that someone could create one without these, but all commercial cards do). Note that the MAC address (unique identifier for the devide from the manufacturer can be faked on many cards). However, the card can appear to be invisible because it is firewalled/configured not to respond to anything.

the docs are right: your IDS is plugged into a hub right before your firewall, and it doesn't need an IP 'cause it only listens to what's going on
Keep in mind that it's a hub, if you use a switch you need to plug your IDS in to the monitor port (which needs to monitor *all* other ports at once)

I slightly disagree with pjedmond, I'd not install the IDS on the firewall (except you plan to use an IDS/IPS).
If you really want to spend money and time for looking what happens, then there should be an IDS before, and one after the firewall, and probably a 3'rd one in your LAN. All these IDS connected via a admin-LAN to monitor them and compare results.
Tim HolmanCommented:
IDS are layer 2 devices, so don't need IP addresses.  However, they do need to see all the packets that need looking at, so need to be connected to a SPAN port or hub or network tap in order to see what's going on.
Think of it as just plugging a hub or switch into your network.  They don't need IP addresses for the same reason as IDS devices don't.  :)
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Sorry - ahoffmann - I'm a cheapskate, and don't like spending money....you're absolutely right - ideally a firewall should be just that - the more stuff you add to it the more chance of it being breached!

Having said that many commercial products stick the IDS on the firewall - in order to add perceived value?

techfreelanceAuthor Commented:
tim holman>> IDS are layer 2 devices, so don't need IP addresses.

So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a NIC (with no IP???)?


The dedicated ones are specialist hardware devices that you just plug into a network. The ones I've seen actually then connect to a PC via a serial port for further analysis. However the PC was configured with a Rocket Port (32 serial ports card)...and could connect to 32 of these things.  Alternatively, you can use a PC with the software running on it. If it's the PC version, then ethernet cards just happen to come with MAC addresses and get allocated an ip address in order to work.
IDS's need 2 interfaces. One that is promiscous and does not have an IP address, and another interface for the management/monitoring software to be able to address the device. Else, how can you see the alerts/alarms? Think Snort/ACID, Cisco IDS, and several others..

My opinion, for what it's worth:
It is a given fact that every nut job on the planet is knocking on your front door. What good is an IDS sitting in front of your firewall? All you're doing is confirming that fact and you get so many positives that you can't possibly get meaningful information. Unless your IDS and router work hand-in-hand to automatically adjust the inbound access-list restrictions to put temporary blocks on those networks that are the source of the alarms, it does not do much good.
My preference is to place the IDS on the INSIDE of my firewall. Your firewall's job is to automatically block all those bad guys anyway, but I want to know what's going on INSIDE my network. The IDS can pickup worm/virus behavior, as well as possible intruders that get through the firewall. THIS is much more meaningful information.
Of course, the ideal situation would be to have both inside and outside with the screening router, IDS's and firewall all working as a single team...
Tim HolmanCommented:

Also, remember IDS is only ever any good for forensics.  To use it as a live detection-blocking solution and answer-to-everything-that-firewalls-cannot-do is the wrong way to go.

>So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a >NIC (with no IP???)?

Either.  PCs can run their network adaptors in a special L2 mode called 'promiscuous mode'.  They will just soak up all the traffic silently and analyse.

To get you started, why not download the Windows version of Snort from www.snort.org.  This requires an additional driver to get things working, called WinPCap, which is a generic L2 capturing driver which fits over most network cards, and will give you an idea of what IDS is and how it works, all for free.

You will also see the HUGE amount of data IDS systems will generate.  They need a hell of a lot of tuning to reduce false positives, plus 24x7 event management to be effective.  If it's just you as a network administrator in the company, then you simply will not have time to sift through everything.  In this situation, you would look at an IPS (Intrusion Prevention System), which will actively block attacks without you having to 24x7 manage the thing.  Take a look at www.toplayer.com, for example...  ;)

IDS has it's uses - but don't go spending too much on it, or focus on this without looking at your holistic security solution - which should include firewalling, IPS, anti-virus, patch management, network IDS, host IDS, security event management etc etc.

Also look at what Gartner have to say - basically, IDS is Dead, long live IPS...


hmm, all comments repeating mine http:#11799068
Think we got it all now ;-))
...of which many were repeating mine ;)
>  .. ethernet card will always have an identity....this will be a MAC address, and an IP address
pjedmond, this is wrong :-|
..oh - OK then - Commercial cards always have a MAC address even if they don't exibit it to the outside world, and IP addresses if they are actively being used to communicate on an IP based communications system....and yes I know it's possible to erase or alter that identity. I know that I might be simplifying things a little, and I also accept that my experience may not be as broad as yours.

I also appreciate that cards as part of the DHCP and other protocols broadcast requests for being given an identity, but they still identify themselves using the MAC address as far as I'm aware. If I'm still missing something in the above, I obviously need to learn (me AT cb DOT ws)

Many thanks:)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now