Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Inline IDS

From: Noah.Lance () APCC com
Date: Wed, 25 Feb 2009 14:36:35 -0600
You would actually be best off using a punchblock of some type. To 
maintain speed you have a few shielded ones, and well you have a lot of 
options.
but this will work out a little better by guaranteeing easy connectivity. 
Using a punchdown system you can have all your wires terminate on top of 
each others so no soldiering or risky connections.

http://www.blackbox.com/Store/Detail.aspx/Prewired-Modular-Jack-Blocks/31066

This guy above is great because it has built in termination as well. Super 
helpful. You can essentially terminate about three cables into one 
jack.... 

Its been a long time since i did snort type appliance box setup, but I'm 
pretty sure you'll just want to make sure you have at least two NICs, its 
convenient to have a few more at times, but you'll just need to tell Snort 
which one is the passive and which one can access the network, that's 
about its I think, not sure though. Typically I've always gone with using 
a higher end box (last one was a dual xeon P4, with U320 in Raid 10 with 
8G Ram) and utilized the box as the gateway to the external net, and add 
the static route to the box in any of the routers. This way anything that 
went to the routers was other going to the IPSEC tunnels to the other 
"secured" locations, or going through the snort box.







Daniel Hood <dsmhood () gmail com> 
Sent by: listbounce () securityfocus com
02/23/2009 05:31 AM

To
security-basics () securityfocus com
cc

Subject
Inline IDS






It seems I have decided on building an inline IDS. One of the ones
with an Ethernet tap. I just had two questions.

When people normally build ethernet taps (with all the soldering and
such), what do they normally use? Is there a certain brand/model of
hub, or do they buy a 4-port patch panel? By ethernet tap I mean one
of those things, that looks like a 4-port patch panel, thats wired so
that the IDS can pick up traffic passively and without impeding
performance or creating a single point of failure.

Also, I'm going to be most likely using either FreeBSD + Snort + Base
or Debian + Snort + Base, do I just need hogwash and/or snort_inline
as well or some other setups/config changes? Are there any changes to
the ethernet adapters set up (or just leave them with no IP addresses
but up?)


Thanks guys,
Daniel
Previous By Date Next
Previous By Thread Next

Current thread: