techfreelance
asked on
Intrusion Detection System (IDS)
Hi experts,
I have been doing some research on security.
According to what I found the following can be setup.
Inet-------------Firewall-
| |
IDS DMZ
They suggest the IDS to be a system listening in promiscuous mode, having no IP so it cannot be reached or detected.
How is this achieved? The way I understand it, to be able to see traffic it should be connected to a hub/switch, hence having a cable and NIC which will have an IP.
But the diagram doesn't show any switch or device where the IDS is connected to.
Can anyone bring some light over this matter please?
Thanks in advanced,
Tech.
I have been doing some research on security.
According to what I found the following can be setup.
Inet-------------Firewall-
| |
IDS DMZ
They suggest the IDS to be a system listening in promiscuous mode, having no IP so it cannot be reached or detected.
How is this achieved? The way I understand it, to be able to see traffic it should be connected to a hub/switch, hence having a cable and NIC which will have an IP.
But the diagram doesn't show any switch or device where the IDS is connected to.
Can anyone bring some light over this matter please?
Thanks in advanced,
Tech.
techfreelance,
the docs are right: your IDS is plugged into a hub right before your firewall, and it doesn't need an IP 'cause it only listens to what's going on
Keep in mind that it's a hub, if you use a switch you need to plug your IDS in to the monitor port (which needs to monitor *all* other ports at once)
I slightly disagree with pjedmond, I'd not install the IDS on the firewall (except you plan to use an IDS/IPS).
If you really want to spend money and time for looking what happens, then there should be an IDS before, and one after the firewall, and probably a 3'rd one in your LAN. All these IDS connected via a admin-LAN to monitor them and compare results.
the docs are right: your IDS is plugged into a hub right before your firewall, and it doesn't need an IP 'cause it only listens to what's going on
Keep in mind that it's a hub, if you use a switch you need to plug your IDS in to the monitor port (which needs to monitor *all* other ports at once)
I slightly disagree with pjedmond, I'd not install the IDS on the firewall (except you plan to use an IDS/IPS).
If you really want to spend money and time for looking what happens, then there should be an IDS before, and one after the firewall, and probably a 3'rd one in your LAN. All these IDS connected via a admin-LAN to monitor them and compare results.
IDS are layer 2 devices, so don't need IP addresses. However, they do need to see all the packets that need looking at, so need to be connected to a SPAN port or hub or network tap in order to see what's going on.
Think of it as just plugging a hub or switch into your network. They don't need IP addresses for the same reason as IDS devices don't. :)
Think of it as just plugging a hub or switch into your network. They don't need IP addresses for the same reason as IDS devices don't. :)
Sorry - ahoffmann - I'm a cheapskate, and don't like spending money....you're absolutely right - ideally a firewall should be just that - the more stuff you add to it the more chance of it being breached!
Having said that many commercial products stick the IDS on the firewall - in order to add perceived value?
Having said that many commercial products stick the IDS on the firewall - in order to add perceived value?
ASKER
tim holman>> IDS are layer 2 devices, so don't need IP addresses.
So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a NIC (with no IP???)?
:-/
So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a NIC (with no IP???)?
:-/
The dedicated ones are specialist hardware devices that you just plug into a network. The ones I've seen actually then connect to a PC via a serial port for further analysis. However the PC was configured with a Rocket Port (32 serial ports card)...and could connect to 32 of these things. Alternatively, you can use a PC with the software running on it. If it's the PC version, then ethernet cards just happen to come with MAC addresses and get allocated an ip address in order to work.
IDS's need 2 interfaces. One that is promiscous and does not have an IP address, and another interface for the management/monitoring software to be able to address the device. Else, how can you see the alerts/alarms? Think Snort/ACID, Cisco IDS, and several others..
My opinion, for what it's worth:
It is a given fact that every nut job on the planet is knocking on your front door. What good is an IDS sitting in front of your firewall? All you're doing is confirming that fact and you get so many positives that you can't possibly get meaningful information. Unless your IDS and router work hand-in-hand to automatically adjust the inbound access-list restrictions to put temporary blocks on those networks that are the source of the alarms, it does not do much good.
My preference is to place the IDS on the INSIDE of my firewall. Your firewall's job is to automatically block all those bad guys anyway, but I want to know what's going on INSIDE my network. The IDS can pickup worm/virus behavior, as well as possible intruders that get through the firewall. THIS is much more meaningful information.
Of course, the ideal situation would be to have both inside and outside with the screening router, IDS's and firewall all working as a single team...
My opinion, for what it's worth:
It is a given fact that every nut job on the planet is knocking on your front door. What good is an IDS sitting in front of your firewall? All you're doing is confirming that fact and you get so many positives that you can't possibly get meaningful information. Unless your IDS and router work hand-in-hand to automatically adjust the inbound access-list restrictions to put temporary blocks on those networks that are the source of the alarms, it does not do much good.
My preference is to place the IDS on the INSIDE of my firewall. Your firewall's job is to automatically block all those bad guys anyway, but I want to know what's going on INSIDE my network. The IDS can pickup worm/virus behavior, as well as possible intruders that get through the firewall. THIS is much more meaningful information.
Of course, the ideal situation would be to have both inside and outside with the screening router, IDS's and firewall all working as a single team...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hmm, all comments repeating mine http:#11799068
Think we got it all now ;-))
Think we got it all now ;-))
...of which many were repeating mine ;)
> .. ethernet card will always have an identity....this will be a MAC address, and an IP address
pjedmond, this is wrong :-|
pjedmond, this is wrong :-|
..oh - OK then - Commercial cards always have a MAC address even if they don't exibit it to the outside world, and IP addresses if they are actively being used to communicate on an IP based communications system....and yes I know it's possible to erase or alter that identity. I know that I might be simplifying things a little, and I also accept that my experience may not be as broad as yours.
I also appreciate that cards as part of the DHCP and other protocols broadcast requests for being given an identity, but they still identify themselves using the MAC address as far as I'm aware. If I'm still missing something in the above, I obviously need to learn (me AT cb DOT ws)
Many thanks:)
I also appreciate that cards as part of the DHCP and other protocols broadcast requests for being given an identity, but they still identify themselves using the MAC address as far as I'm aware. If I'm still missing something in the above, I obviously need to learn (me AT cb DOT ws)
Many thanks:)
http://www.snort.org/
There are also commercial applications out there.
At the very basic level, you can put an ethernet card into 'promiscuous' mode so that it listens to every packet on the 'segment' of the net that it is on. On a linux system, the command you need is tcpdump:
http://www.rt.com/man/tcpdump.1.html
This provides a raw dump of the data that can be filtered/manipulated as required depending on the aspect of interest.
A windows version of this also exists called windump:
http://windump.polito.it/
IDS running on the system that might be attacked can normally be more easy to configure, and is better integrated into the OS concerned. Software such as zone alarm, and the various integrated security suites spring to ming for Windows, and snort for linux.
IDS relating to detecting penetration can only be accurately run on the system deemed to be the target. Software such as tripwire:
http://www.tripwire.org/
Creates a hash of directories and files to be protected. If the files are compromised, then the hash will not match and an alarm is produced. Obviously the obove diagram soe s not help for thissituation.
Remember that tcpdump and it's equivalents can be dangerous in the wrong hands. They can sniff out root passwords from the ethernet traffic on the network segment concerned, or even hijack communications between other PCs/Servers. However, the 'promiscuous' ethernet card will always have an identity....this will be a MAC address, and an IP address if the card is enabled (OK, I'm sure that someone could create one without these, but all commercial cards do). Note that the MAC address (unique identifier for the devide from the manufacturer can be faked on many cards). However, the card can appear to be invisible because it is firewalled/configured not to respond to anything.
HTH:)