Think about it like this:
A bridge is a two port network switch.
You just need to use a basic passive hub (in the old days called a
multiport repeater) to do it. I've seen Ys for cat 5, that might work
> -----Original Message-----
> From: Jim Gifford [mailto:jim at giffords dot net]
> Sent: Friday, February 27, 2004 11:55 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IDS integration w/m0n0wall?
> Before people start responding with the phrase that IDS
> doesn't belong in m0n0wall, let me say that I agree and that
> isn't what this email is about. m0n0wall is damned near
> perfect the way it is. :)
> However, I would indeed like to have an IDS box (running
> snort) watching all the interfaces of my m0n0wall for
> intrusion attempts and successes.
> When people have asked about having a box running snort watch
> traffic for a m0n0wall, I've seen suggestions to use a bridge
> interface with WAN or LAN to watch that port's traffic.
> However, from my testing with bridging, very few packets
> actually show up on the bridged interface (namely, only
> broadcasts). From my rememberence of how a bridge should
> work, I expect this is Correct Behavior. However, if there's
> a way to "mirror" a port on m0n0wall to another port, I would
> love to hear about it. Basically, I would love to see every
> packet sent and received on interface A retransmitted on interface B.
> Using the little dinky "hubs" and "switches" that are
> available these days has the same problem, they're all really
> tiny switches inside (ie, really fast bridges), and you only
> see broadcast packets.
> Are other people using an IDS in conjunction with m0n0wall
> with success? If so, I'm interested in hearing how you are doing it.
> I've begun thinking that the IDS box should have 3
> interfaces, 1 with a LAN IP so I can get to it, and the other
> two with no IP in bridging mode, and let that bridge be the
> monitored segment. One of the bridged interfaces would go to
> the cable modem/dsl/whatever, and the other to the m0n0wall
> WAN interface (or one to the LAN interface and the other to
> the LAN switch, or one to the DMZ interface and one to the
> DMZ switch, etc). In this scenario, the IDS is transparent,
> and gets to see all the traffic. However, for a 3 interface
> m0n0wall, this seems overly complicated (LAN, WAN, DMZ), and
> my security sense tells me that having all those nets
> traversing a single box (via multiple bridges) is a bad idea,
> so that would require multiple machines. It quickly could
> grow out of hand.
> I should point out that at this point I'm just trying to do
> testing of various network topologies using m0n0wall, in an
> effort to learn as much as possible about what can be done
> and what should be done to meet different networking needs.
> This is by no means an urgent question.
> Any thoughts, suggestions, experience to share?
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch