[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IDS integration w/m0n0wall?
 Date:  Fri, 27 Feb 2004 12:54:30 -0500
Before people start responding with the phrase that IDS doesn't belong in
m0n0wall, let me say that I agree and that isn't what this email is about.
m0n0wall is damned near perfect the way it is.  :)

However, I would indeed like to have an IDS box (running snort) watching
all the interfaces of my m0n0wall for intrusion attempts and successes.

When people have asked about having a box running snort watch traffic
for a m0n0wall, I've seen suggestions to use a bridge interface with
WAN or LAN to watch that port's traffic.  However, from my testing with
bridging, very few packets actually show up on the bridged interface
(namely, only broadcasts).  From my rememberence of how a bridge should
work, I expect this is Correct Behavior.  However, if there's a way
to "mirror" a port on m0n0wall to another port, I would love to hear
about it.  Basically, I would love to see every packet sent and received
on interface A retransmitted on interface B.

Using the little dinky "hubs" and "switches" that are available these
days has the same problem, they're all really tiny switches inside (ie,
really fast bridges), and you only see broadcast packets.

Are other people using an IDS in conjunction with m0n0wall with success?
If so, I'm interested in hearing how you are doing it.

I've begun thinking that the IDS box should have 3 interfaces, 1 with
a LAN IP so I can get to it, and the other two with no IP in bridging
mode, and let that bridge be the monitored segment.  One of the bridged
interfaces would go to the cable modem/dsl/whatever, and the other to the
m0n0wall WAN interface (or one to the LAN interface and the other to the
LAN switch, or one to the DMZ interface and one to the DMZ switch, etc).
In this scenario, the IDS is transparent, and gets to see all the traffic.
However, for a 3 interface m0n0wall, this seems overly complicated (LAN,
WAN, DMZ), and my security sense tells me that having all those nets
traversing a single box (via multiple bridges) is a bad idea, so that
would require multiple machines.  It quickly could grow out of hand.

I should point out that at this point I'm just trying to do testing
of various network topologies using m0n0wall, in an effort to learn as
much as possible about what can be done and what should be done to meet
different networking needs.  This is by no means an urgent question.

Any thoughts, suggestions, experience to share?