TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I think the point (Mark's?) was not that se4tting up the probes in a
stealth configuration (dual-NIC, one set up solely as a listener, one for
talking) is less than ideal; I think his point was that having _3_ NICs,
with two stealthed, is less than ideal. This way, one probe is trying to
(presumably) monitor multiple network segments. If an attack comes in
that floods both network segments, then the probe will probably be swamped
and start to lose packets. I'd consider this less than ideal. Better
would be to have multiple probes. It's worth the expense, especially if
the probe is monitoring network segments that can both be hit by the same
flood. (E.g., monitoring outside the firewall as well as a public DMZ,
when a flood of a public web server on the public DMZ allows the probe to
see traffic from the same attack twice - twice the processing involved.)
-Mike Wilson
-Sr. Network Computing Pure Scientist
-UNIFIED Technologies
-Troy, NY
On Wed, 16 Feb 2000, Lunsford, Scott wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
>
> Actually, this is an ideal IDS architecture. We use this configuration to
> monitor our external ethernet segments (external being outside the
> firewall). We have 2 nics in the RealSecure box. One nic is connected to
> the external network strictly listening (stealth mode), the other nic is
> connected to our internal network and is used to communicate with the
> console. We find this to be ideal.
>
> Scott Lunsford
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, February 17, 2000 7:34 AM
> > To: Benjamin Mah
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Real Secure Engine with 3 NICs -reply
> >
> >
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> > your message to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> > with any problems!
> > --------------------------------------------------------------
> > --------------
> >
> > It works, but it is not an ideal IDS architecture. Is there
> > a reason why
> > you are setting up your IDS system this way??
> >
> > /m
> >
> >
> >
> >
> > "Benjamin Mah" <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> > 02/14/00 04:57 PM
> >
> >
> > To: <[EMAIL PROTECTED]>
> > cc:
> > Subject: Real Secure Engine with 3 NICs
> >
> >
> >
> > I am trying to do an engine with 3 NICs which means there
> > will be 2 NICs
> > without any IPs and IP forwarding ... the last NIC would
> > have an internal
> > IP address which reports back to the internal Console... Has
> > anyone tried
> > this ? Does this work ? Are there any security complication
> > if i really
> > implement this ?
> >
> > Thanks
> > BenJiZs
> >
> >
> >
> >
>
>
