RE: IDS: Security assessment tools

Mahankali, Sridhar (sridhar.mahankali@intel.com)
Fri, 9 Apr 1999 10:28:12 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robert Graham: "Re: IDS: Security assessment tools"
Previous message: Steve Manzuik: "Re: IDS: Security assessment tools"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Another alternative solution would be to use a network tap to tap the
physical connection between the router and the switch. The intrusion
detection engine can then plug into the "analyzer/monitor" ports to  capture
wire traffic. Has anyone else used this setup ?

Sridhar



> -----Original Message-----
> From: bkho@umac.mo [mailto:bkho@umac.mo]
> Sent: Friday, April 09, 1999 1:21 AM
> To: ids@uow.edu.au
> Subject: Re: IDS: Security assessment tools
> 
> 
> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it 
> will be filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------
> -------------
> 
> 
> 
> 
> From: bkho@UMAC on 04/09/99 04:21 PM
> 
> 
> I saw someone wrote that:
> 
> "... To keep an eye on data running over our network, we 
> primarily use ISS's
> Real Secure. It watches the network for certain attack 
> signature,..... Now there
> is one problem that could arise by using RealSecure. 
> Obviously, what it's doing
> is throwing the interface card into promiscuous mode, and 
> sniffing the network.
> Now this works just fine if you're using a standard hub, but 
> if you're using
> switched hub (which prevents sniffing, which is a good 
> thing), RealSecure is
> useless. So, what we did was get an HPSwitch, which will 
> allow switching for
> every port, except a "Master Port" which can be configured to 
> receive all data.
> So, the only machine on our network which can sniff, is the 
> network monitoring
> station. Another alternative to this would be to set up a 
> sort of switch DMZ
> (de-militarized zone), where the data coming in from your 
> router would to to a
> primary un-switched hub, ......."
> 
> Any comment or solutions?
> 
> Fiona
> 
>

Next message: Robert Graham: "Re: IDS: Security assessment tools"
Previous message: Steve Manzuik: "Re: IDS: Security assessment tools"