Re: IDS behind a web gateway

[Joel Esler <joel.esler () me com>]

I run into this all the time.  There really is no solution for it.

What I generally do is place the IPS outside the web content filtering system, as you have it, and if needed, correlate 
the logs with the web gateway's logs.

I'd rather have the external address so I know which one to block.

J

On Apr 2, 2010, at 4:00 PM, Nate Hausrath wrote:

> Hello everyone,
>
> We've run into an issue with the way our IDS views traffic after we installed a new web gateway.  The old system was 
> essentially transparent, so when a web request was sent from the inside to the outside, it looked like this on the 
> IDS:
>
> 10.0.0.1 --> 11.22.33.44:80
> 10.0.0.1 <-- 11.22.33.44:80
>
> Obviously this makes it easy to determine the inside address of any system that may trigger an alert with Snort, but 
> it also allows us to easily research the outside address.  The sensor knows the IP addresses of both.
>
> However, the new system is not transparent, and there are some issues outside my control about making it transparent. 
>  So in this case, the traffic seen by the IDS looks like this:
>
> 10.0.254.254 --> 11.22.33.44:80
> 10.0.254.254 <-- 11.22.33.44:80
>
> 10.0.254.254 is the web gateway.  In this case, we do not see the internal address.  It is certainly possible to go 
> to the web gateway and determine the inside address if any signature fires, but this is an extra step and is 
> undesirable.
>
> We could also move the sensor behind the web gateway so it looks like this:
>
> 10.0.0.1 --> 10.0.254.254
> 10.0.0.1 <-- 10.0.254.254
>
> But we are now missing the external address.
>
> Has anyone run into this problem before?  If so, what are some options for solving it?  One idea I had was to read 
> traffic from both sides of the gateway and attempt to combine them on the sensor, but I'm not sure how well this 
> would work.  There may be a better solution that I have not thought of!
>
> Thanks for any help!
> -Nate
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
http://blog.joelesler.net



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users