IDS Benefits/Risks

[Soda_Popinsky]

How do some of you setup IDS on your networks? Here's why I ask...

If I decided that my IDS should monitor all network traffic, then all of a sudden my IDS is a high risk resource. Similar to a firewall or router being compromised, an attacker would have access to heavy traffic.

If you separate multiple IDS's across your network, you would then lower the risk if one were compromised. Or, get rid of them completely and forget about the scenario of them being compromised. But that wouldn't be worth the IDS's benefits, right? What do you think?

Do any of you take that extreme of an approach? If you separate the devices, wouldn't you lose the benefits of a centralized IDS database? I guess you could shoot it all elsewhere, but that's another device with an IP and the same problem exists, even with the opportunity to secure it more.

Example: Operations IDS, R&D IDS, Marketing IDS, Purchasing IDS... Cut off from eachother.

So basically, suggestions on types of IDS placement would be good to hear. I'd also like to hear if there's a place for what I suggested earlier, or software that assists that process.

Thanks!

[Opus00]

Two NIC's in each IDS. You can set up an out of bound network for the managment side of the IDS(one of the NICs with an IP). This network is toally isolated from your actual network. Then with the other NIC and no IP, you use it to monitor for intrusion on your production network. Each IDS then reports back to a cental database/console via the out of bound network.

As for placement, that needs more thought on your side, what resources do you have and if limited, then they need to be used for your most valuable assets.

A small book can be written on answering the questions you are asking, not to say the answers wouldn't be subjective and opinionated.

[Striek]

When I cannot afford the IDS going down, I use passive network taps instead of placing the servers directly on the network. This way, the IDS will still see all the traffic, but cannot send anything out over the wire. They are essentially invisible. I have done setups before with several IDS's running, all logging to the same sql server. I build an IDS network completely isolated from the rest of the network, and as with a standalone server, it cannot send anything over the wire to the rest of the network. The snort website has a good page on how to build a passive ethernet tap here. I never run out of uses for them; I've got 4 or 5 spares lying around.

Active taps can also be used, at a signifigantly higher cost. These taps capture the traffic, and repeat it out more than one port and in only one direction, also hiding the IDS from view. They can also combine the traffic streams into a single stream (taps usually seperate out the send and recieve traffic on different wires), requiring two cards in the IDS box. All types of taps are available with features few people use and even less have heard about. Have a look at www.datacomsystems.com for some ideas on which taps you might use.

My preferred method, though, is to use a SPAN port available from a switch, or a monitoring port. The switch simply repeats everything it sees out a specified port. (SPAN is actually an acronym, but I can't remember what for) With multiple switches doing this, that traffic can be aggregated by sending all the SPAN traffic to a single switch and then spanning that traffic to a single monitoring port, although this method is cost prohibitive. If you have a managed switch that can do port spanning, I would suggest you use that, as it eliminates the need for additional hardware, provided your network is small enough to not have dozens of switches. You can easily Put several cards in an IDS box and use one for each switch you want to monitor. Also, the wire between the SPAN port and the IDS box can have the transmit wires physically severed, to avoid the risk of compromise. That box would then be (almost) invisible on the network. I have a few "stealth cables" around for that purpose here as well. They tend to impress people.

The best way to avoid compromising the IDS is simply to take it off the network. We can come very close to that by physically prohibiting it from transmitting anything (by physically disconnecting the send wires like these taps do). They can still recieve all the traffic they need to do all their fancy intrusion detection magic. So if you have no need to transmit anything from the IDS to somewhere else on the network, a tap or a spanning switch would be your best bet.

It is quite possible to have multiple IDS's and not lose the benefits of a centralized database, as I said earlier. All the sensor IDS boxes can log to a database on another box, which does not necessarily need to also be an IDS. I have done this with snort, creating whole isolated IDS networks for that purpose; I imagine it can be done with other IDS's as well.

[thehorse13]

Here's the high level look at my config.

VLAN management network: All core devices (IPS, FWs, Switches, etc) that have a management interface all rest on this network. This management network is tighter than a frog's ass and is audited more than Martha Stewart.

Super beefy IPS sits at the choke point. Hot failover with hardware failure set to fail connections open with alert. Smaller divisional IPS devices sit infront of various division routers so that we can kill certain areas should isolation be needed.

All data from these devices is fed into a SIM (Security Information Manager) where it's aggregated and then the relavent threat data is categorized by severity and then we act upon it when necessary.

Now, if someone pwn3s our management network, we're of course done. However, simply grabbing traffic from a spanning port or passing it through an IPS wont pose you a threat unless your IDS/IPS is crap and can't handle the load. White noise attacks are very easy to pull off against certain security products out there. Free advice, test out the equipment before you sign a purchase order.

Good enough Soda?

SPAN is actually an acronym, but I can't remember what for

SPAN is a Cisco term (Switch Port ANalyzer). Most others call it a mirror port.

[anban]

The IDS setup with ISS, McAfee is simlar as the senior members mentioned above.

1. Is there any IDS which can detect encrypted traffic like SSL? McAfee claims it can do for SSL, can anyone throw some light?
2. Will ant IDS be able to catch packets of very small size?

What are the other risks associated with IDS?

[Lv4]

I won't bother answering the first question because it has already been sufficiently answered by others.

I'll tackle part of the question than anban poses though. For an IDS to "see" encrypted traffic you are going to need something like BreachView SSL. I'm not sure how McAfee is doing it, but BreachView SSL is a great product that I highly recommend. They will also work with your IDS vendor to either have BreachView added to the IDS package or they will create a plugin for your IDS if they have access to source code.

As far as catching very small packets... if your switch can see it then your IDS should be able to see it.