Security Basics mailing list archives
Re: Inline IDS
From: Noah.Lance () APCC com
Date: Wed, 25 Feb 2009 14:36:35 -0600
You would actually be best off using a punchblock of some type. To maintain speed you have a few shielded ones, and well you have a lot of options. but this will work out a little better by guaranteeing easy connectivity. Using a punchdown system you can have all your wires terminate on top of each others so no soldiering or risky connections. http://www.blackbox.com/Store/Detail.aspx/Prewired-Modular-Jack-Blocks/31066 This guy above is great because it has built in termination as well. Super helpful. You can essentially terminate about three cables into one jack.... Its been a long time since i did snort type appliance box setup, but I'm pretty sure you'll just want to make sure you have at least two NICs, its convenient to have a few more at times, but you'll just need to tell Snort which one is the passive and which one can access the network, that's about its I think, not sure though. Typically I've always gone with using a higher end box (last one was a dual xeon P4, with U320 in Raid 10 with 8G Ram) and utilized the box as the gateway to the external net, and add the static route to the box in any of the routers. This way anything that went to the routers was other going to the IPSEC tunnels to the other "secured" locations, or going through the snort box. Daniel Hood <dsmhood () gmail com> Sent by: listbounce () securityfocus com 02/23/2009 05:31 AM To security-basics () securityfocus com cc Subject Inline IDS It seems I have decided on building an inline IDS. One of the ones with an Ethernet tap. I just had two questions. When people normally build ethernet taps (with all the soldering and such), what do they normally use? Is there a certain brand/model of hub, or do they buy a 4-port patch panel? By ethernet tap I mean one of those things, that looks like a 4-port patch panel, thats wired so that the IDS can pick up traffic passively and without impeding performance or creating a single point of failure. Also, I'm going to be most likely using either FreeBSD + Snort + Base or Debian + Snort + Base, do I just need hogwash and/or snort_inline as well or some other setups/config changes? Are there any changes to the ethernet adapters set up (or just leave them with no IP addresses but up?) Thanks guys, Daniel
Current thread:
- Inline IDS Daniel Hood (Feb 24)
- Re: Inline IDS Matthew Topper (Feb 25)
- Re: Inline IDS DHEERAJ RAI (Feb 25)
- <Possible follow-ups>
- Re: Inline IDS Noah . Lance (Feb 25)
- Re: Inline IDS Daniel Hood (Feb 26)