Matt, I was just at a client where we tried, and tried, and _tried_ to do this. We've finally given up, and are using honey pot systems instead. Since most of our internal users are likely to be of the script kiddie types, we decided that catching the 85% of them that would be doing broad-based sweeps for compromised systems rather than attacking one system in particular was the best way to use our money. In your case if you're worried about protecting specific groups, you might be able to do something similar like planting honey pot systems in the protected group. In a switched environment you _can_ generally make one port a "monitoring port" that receives all traffic in the switch. You've already pointed out one problem with this - potential data loss as that one port on the switch gets overloaded. Plus, the point of the switch is improved traffic speeds, and it seems to me that pushing all traffic to one port would significantly slow things down (caveat: I haven't actually tried whether this is true or not.) Another downside is that usually you can only have one monitoring port per _stack_ - so if you're like us and have five or six stacks of switches in different wiring closets, you're looking at an IDS system on each stack. The costs add up fast, and when you consider that you may be getting data loss from overloaded switch ports on top of that, we decided it wasn't worth it. On the plus side, I _have_ heard of a handful of vendors that make IDSs (or was it firewalls?) built right into their switches. ODS comes to mind for some reason, but since we had already committed to 3Com I didn't investigate this too thoroughly. Another thought is if you're protecting a specific group you could put them all on one stack and put an IDS on that stack with a monitoring port. OR I believe I have heard of some IDSs that have client portions that sit on the desktops and a server portion that collects data (RealSecure?). That might work for you if you're in a Windows environment. Hope that helps. Sorry for the verbosity - I've just been banging my head against the same thing, and it struck a cord. Richard Hakim On Tue, 13 Jul 1999, Matt Dunn wrote: > Hi all, > > I'm doing some preliminary planning for a security configuration, and I > have what may be a silly question about setting up an IDS. I looked around > a bit, and even asked a couple people (who laughed, but it didn't sound > like it was because the question was silly, more of a 'good luck' kind of > laugh..) > > My problem is that a couple of my networks involve switches, which, as part > of the new and improved security policy, will involve VLANs. > > I could throw the IDS on a hub with the firewall and connect that to the > switch, but that doesn't do anything for internal threats (which are what > is necessitating the VLANs.) > > Has anyone figured out a good way to set something like this up? Ideally, > some switch manufacturer would have thought of this ahead of time, and made > a port on the switch that dumped all the packets, but then you're dealing > with packet loss unless that one port is significantly faster than the rest > of the switch. I could try to figure out some policy based configuration, > but I don't want to go buy a gigabit plane for each of my switches, and it > doesn't sit right with me to depend on the switch management elements for > the completeness of my security data. > > Any responses would be appreciated. > > -Matt >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:17 PDT