[ previous ] [ next ] [ threads ]
 From:  "Brandon W. Holland" <Brandon at cookssaw dot com>
 To:  "Jim Gifford" <jim at giffords dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IDS integration w/m0n0wall?
 Date:  Fri, 27 Feb 2004 12:07:50 -0600
Think about it like this:

A bridge is a two port network switch.

You just need to use a basic passive hub (in the old days called a
multiport repeater) to do it.  I've seen Ys for cat 5, that might work

> -----Original Message-----
> From: Jim Gifford [mailto:jim at giffords dot net] 
> Sent: Friday, February 27, 2004 11:55 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IDS integration w/m0n0wall?
> Before people start responding with the phrase that IDS 
> doesn't belong in m0n0wall, let me say that I agree and that 
> isn't what this email is about. m0n0wall is damned near 
> perfect the way it is.  :)
> However, I would indeed like to have an IDS box (running 
> snort) watching all the interfaces of my m0n0wall for 
> intrusion attempts and successes.
> When people have asked about having a box running snort watch 
> traffic for a m0n0wall, I've seen suggestions to use a bridge 
> interface with WAN or LAN to watch that port's traffic.  
> However, from my testing with bridging, very few packets 
> actually show up on the bridged interface (namely, only 
> broadcasts).  From my rememberence of how a bridge should 
> work, I expect this is Correct Behavior.  However, if there's 
> a way to "mirror" a port on m0n0wall to another port, I would 
> love to hear about it.  Basically, I would love to see every 
> packet sent and received on interface A retransmitted on interface B.
> Using the little dinky "hubs" and "switches" that are 
> available these days has the same problem, they're all really 
> tiny switches inside (ie, really fast bridges), and you only 
> see broadcast packets.
> Are other people using an IDS in conjunction with m0n0wall 
> with success? If so, I'm interested in hearing how you are doing it.
> I've begun thinking that the IDS box should have 3 
> interfaces, 1 with a LAN IP so I can get to it, and the other 
> two with no IP in bridging mode, and let that bridge be the 
> monitored segment.  One of the bridged interfaces would go to 
> the cable modem/dsl/whatever, and the other to the m0n0wall 
> WAN interface (or one to the LAN interface and the other to 
> the LAN switch, or one to the DMZ interface and one to the 
> DMZ switch, etc). In this scenario, the IDS is transparent, 
> and gets to see all the traffic. However, for a 3 interface 
> m0n0wall, this seems overly complicated (LAN, WAN, DMZ), and 
> my security sense tells me that having all those nets 
> traversing a single box (via multiple bridges) is a bad idea, 
> so that would require multiple machines.  It quickly could 
> grow out of hand.
> I should point out that at this point I'm just trying to do 
> testing of various network topologies using m0n0wall, in an 
> effort to learn as much as possible about what can be done 
> and what should be done to meet different networking needs.  
> This is by no means an urgent question.
> Any thoughts, suggestions, experience to share?
> Thanks,
> jim
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch