Transparent IDS
Results 1 to 6 of 6

Thread: Transparent IDS

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    134

    Transparent IDS

    I`m about to completely restructure my home network and i thought if i right my plans down you guys can pick them apart and point out any problems. The main thing i`m worrying about is my plans to run an IDS on a linux box using transparent bridging and then to have a third network card with an IP address to connect to it.

    This my best atempt at a diagram.


    INTERNET
    |
    |
    Cable Modem
    |
    |
    Hardware Router and Firewall
    |
    |
    Transparent Bridge with IDS ----------
    | |
    | |
    Hub -------------------------
    |
    |
    Workstations/Server



    So basically The IDS would be setup as following, eth0 would take the conection from the router and bridge it straight onto eth1 which goes into the hub. eth2 would be plugged into the hub and used as a connection the IDS.
    eth0 and eth1 would operate at Layer 2 so neither would have an IP address or be known to the network. eth2 would opeate normally with an IP address and be used as the connection to the box.

    Sorry its a bit long winded but hopefully it gets the idea across. Any suggestions please just say.

    Cheers

    edit:
    for some reason the diagram is not being displayed properly, sorry about that.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If that's truly a hub rather than a switch why don't you simplify the issue and just plug the linix box with a single network card in it directly to the hub. Unbind all protocols from the card and run snort or whatever. It will sniff everything going in and out of the network without being accessible and is very difficult to detect, (you need to be in the same collision zone to have a chance of detecting it). That would be simpler to set up, manage and troubleshoot.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    134
    I had been thinking about that aproach but hopefully in a month or two i`ll be upgrading my tired old hub to something new and had been thinking about a switch instead and as far as i know the method i`ve described is the only way on a switched network.
    Feel free to correct me if i`m wrong.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Put the switch inside of the hub to benefit the network itself and leave the hub there. It will have no effect on the speed of the system as a whole because the bottleneck will still be the speed of the incoming pipe from the ISP. The network itself will benefit from the switch though. Best of both worlds and still simpler to maintain etc. than the transparent bridge.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Or, if you get a nice enough switch, you can open a management port and let the IDS feed off of everything that passes through the switch. This effectively does the same thing as Tiger suggested only you don't need the hub in this config.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Dec 2002
    Posts
    134
    Cheers i think you`ve just saved me a lot of work.
    I would give you some greenies tiger shark but unfortuantly "You must spread your AntiPoints around before giving it to Tiger Shark again. ".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides