Re: IDS: Security assessment tools

N. Ganesh (ganeshn@bom5.vsnl.net.in)
Sun, 11 Apr 1999 20:52:53 +0530

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Carric Dooley: "IDS: NIDS's"
Previous message: Lister, Justin: "Re: IDS: Security assessment tools"
Maybe in reply to: Carric Dooley: "IDS: Security assessment tools"
Next in thread: Robert Graham: "Re: IDS: Security assessment tools"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

One problem in configuring one of the ports of the switch as a master port, is that
this adds substantial traffic to the switch backplane, as traffic from every switch
port, has to be mirrored on to the master port.

Connecting the RealSecure engine, between the router and the switch ( through a
primary hub tap ), helps monitoring the traffic between the router and the switch,
but cannot monitor the traffic from one switch port to another.

What may be useful, is a new addition to the ISS SAFESuite family - the RealSecure
host agent, i.e. this IDS engine would be on each of the hosts connected to the
switch. any feedback from anyone having tried this new product ? pl. let me know.

thanx and regds,

ganesh


bkho@umac.mo wrote:

> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it will be filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> ---------------------------------------------------------------------------
>
> From: bkho@UMAC on 04/09/99 04:21 PM
>
> I saw someone wrote that:
>
> "... To keep an eye on data running over our network, we primarily use ISS's
> Real Secure. It watches the network for certain attack signature,..... Now there
> is one problem that could arise by using RealSecure. Obviously, what it's doing
> is throwing the interface card into promiscuous mode, and sniffing the network.
> Now this works just fine if you're using a standard hub, but if you're using
> switched hub (which prevents sniffing, which is a good thing), RealSecure is
> useless. So, what we did was get an HPSwitch, which will allow switching for
> every port, except a "Master Port" which can be configured to receive all data.
> So, the only machine on our network which can sniff, is the network monitoring
> station. Another alternative to this would be to set up a sort of switch DMZ
> (de-militarized zone), where the data coming in from your router would to to a
> primary un-switched hub, ......."
>
> Any comment or solutions?
>
> Fiona

Next message: Carric Dooley: "IDS: NIDS's"
Previous message: Lister, Justin: "Re: IDS: Security assessment tools"
Maybe in reply to: Carric Dooley: "IDS: Security assessment tools"
Next in thread: Robert Graham: "Re: IDS: Security assessment tools"