IDS on VPN-GW

[counter.spy () gmx de]

Hi folks,
I have recently tested snort on a vpn-gateway that runs on linux (just for
testing purposes, no productive server).

This might be of use if the gateway connects to another gateway so that
traffic on both the inside and outside interfaces is encrypted.

The vpn software inserts an ipsec layer beneath the normal ip-stack and thus
provides a new interface that you can sniff off, e.g. with tcpdump, just
like sniffing on eth0 or another interface.

When sniffing on the logical interface of the vpn software, the ids sees all
original, unencrypted ip-datagrams.

Of course this practice will impact server-performance and does not scale
well when loadbalancing over several machines.

Has anybody deployed such a configuration on a productive server?

I would like to know if such a configuration could be handled in real-life.

Any experiences, suggestions, ideas...?

Thanks,
counterspy

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!