On 8/17/05, Sebastian Lemke <s dot lemke at infoworxx dot de> wrote:
> > > Is there a possibility to set up a span port in m0n0 wall ?
> > >
> > No, that's the job of a switch.
> Any change to add this directly to m0n0 ?
> I am using m0n0 on the WAN side with PPPoE,
> internal with 7 network cards, each with an own ip range
> and with an NAT-access to WAN.
> So - if I want to install an IDS I have to install 7 IDS ?
7 sensor interfaces, not 7 IDS systems. Or an aggregator with a
single sensor interface. Net Optics (http://netoptics.com) has a
bunch of nice network taps and tap aggregators.
> One for each network card ? Or can I inspect the PPPoE
> packets (I believe not ?) ?
Any IDS worth anything should be able to decode PPPoE.
> It would be usefull to install card 8 on which the traffic is inspected.
> Would this technically be possible on the used FreeBSD system ?
I believe you can use pf on 6.0 to "mirror" traffic to another
interface under certain circumstances. I wouldn't consider that
sufficient for a production environment just yet though.