[ previous ] [ next ] [ threads ]
 
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] interface mirror
 Date:  Wed, 17 Mar 2004 11:36:42 -0500
On Wed, Mar 17, 2004 at 12:18:54PM +0100, Christiaens Joachim wrote:
> > -----Original Message-----
> > From: Sylvain Lapointe [mailto:sylap69 at sympatico dot ca]
> > Sent: dinsdag 16 maart 2004 21:15
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] interface mirror
> > 
> > 
> > Christiaens Joachim wrote:
> > 
> > >>-----Original Message-----
> > >>From: Sylvain Lapointe [mailto:sylap69 at sympatico dot ca]
> > >>Sent: dinsdag 16 maart 2004 16:36
> > >>To: m0n0wall at lists dot m0n0 dot ch
> > >>Subject: [m0n0wall] interface mirror
> > >>
> > >>
> > >>
> > >>Firt sorry for my very bad english....
> > >>
> > >>I would like to know if is possible to the interface 3 was a 
> > >>mirror the 
> > >>interface 2 for connect de interface 3 with an IDS.
> > >>
> > >>I dont know if my question is clear
> > >>
> > >>thanx for your help
> > >>
> > >>Sly
> > >>    
> > >>
> > >
> > >If I get it, you want to bridge an interface, right? That 
> > can be done! Go to
> > >the interface (assign it first if not done yet) and just 
> > select 'bridge with
> > >xxx' where xxx is the interface you want to monitor with your IDS...
> > >I don't know if bridging will pass everything to your IDS though...
> > >
> > >Joachim
> > >
> > >
> > >  
> > >
> > 
> > Ok I select bridge with LAN for sis2
> > 
> > I need firewall rules for everything pass on the bridged nics?
> > 
> > I use a cossOver cable to connect sis2 with my nic on my IDS
> > 
> > Thanx for your help
> > 
> > sly
> 
> De rien ;-)
> 
> Well like Brandon said, it might not pass everything with bridging.

I can tell you from experience that it *DOES NOT* pass everything.  Think
about this: the purpose of a bridge is to reduce traffic on either side
of the bridge by only passing packets destined to machines on the other
side.  So a unicast packet from machine A to machine Z, or any broadcast
packets.  Since there is no "host" on the second bridge interface, all
you'll see is broadcast traffic.  This is hardly good enough for an IDS.

This was all covered in the archives when I asked about it some weeks
back.  I was pointed to this doc for a way to monitor one link both
directions securely: http://www.snort.org/docs/tap/

> If you want to give it a try, you will not have to create rules, as long as
> you don't activate 'filtering bridge' in the advanced config.
> 
> The cross-over is fine, but if it doesn't work (not all packets are 'seen'
> by the IDS), then a hub (no switch!) between your WAN connection, the m0n0
> and your IDS would solve that (and would leave sis2 unused).

Using a hub between your WAN device and your WAN port, and hanging the
IDS off of that hub is one way to do it.  That restricts your bandwidth,
but chances are the WAN device is already restricted anyway.  Using the
ethernet tap is probably the purest solution.

hope this helps,
jim