James -
I would like to give support to Donald Allen's response.
Set the Sensors and the SiteProtector Management/Database servers up on
a private network. That keeps the communication off the corporate network.
The SP Management and Database servers should have a second NIC that
connects to the main setwork so that they can connect to ISS for updates -
but even that can be limited - turned off when not needed. That probably
wouldn't work very well in a production environment though. As in our case
the console is accessed remotely by 10 different physically remote users.
Physical use of the actual console is extrememly limited.
In general this is how it works for us....
(open fullscreen and use "Courier New" font to see map cleanly)
(Assume the switch is there for each network)
Corporate NW
|
|-----------------------| | |-----------------------|
| SP Console | | | SP Database |
| 192.168.10.10 Network |---------------| 192.168.10.11 Network |
| | | |
| | | |
| 90.0.0.10 IDS NW |-------|-------| IDS NW 90.0.0.11 |
|-----------------------| | |-----------------------|
|
|---------------------------------------|
| |
|-----------------------| | |-----------------------| |
|-----------------------|
| Network Sensor 1 | | | Network Sensor 2 | |
| Network Sensor 3
|
| 90.0.0.20 IDS NW |---------------| IDS NW 90.0.0.21 |
|-------|
90.0.0.22 IDS NW |
| | | |
|
|
| | | |
|
|
| 10.0.0.20 Promisc.TAP |---| | Promisc.TAP 10.0.0.21 |---|
|
10.0.0.22 Promisc.TAP |---|
|-----------------------| | |-----------------------| |
|-----------------------| |
| |
|
OUTSIDE TAP INSIDE TAP
Internal
NW Firewall NW Firewall
NW Segment
With that said - the sensor CAN also generate traffic on the network
if you have signatures set to respond with TCP Resets, Email alerts,
SNMP traps, etc. Make sure you are cautious with "response" traffic.
Also note that the above configuration could make it difficult to
perform many response methods. For us, to further complicate the
management, we have one remote monitor user who connects via a VPN
link to the IDS (90.0.0.x) switch. Causes us to have to make
changes to the SP Console computer Registry to let the Remote SP
console to communicate properly. ISS was very supportive in
assisting us in engineering that configuration.
Henry Schupp
[EMAIL PROTECTED]
Internet Security Operations Center
Integrated Data Systems, Inc.
Danilov, Jaroslav [EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Mohr James
Sent: Monday, November 17, 2003 7:52 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Confusion about behaviour of Network Sensor
Hi All!
Please forgive the very newbie questions, but as the subject implies I am
confused about the behavior of the Network Sensor. From what I have read,
it seems that the network sensor is more or less passive. That is, it simply
reads the network packets looking for problems. This is in contrast to the
Internet Scanner which **actively** scans the network (i.e. port scans).
(From the doc: "The network sensor monitors network packets to detect
attacks or other security-related events.", and later "If you scan this
network with Internet Scanner,...")
One reason I am asking (other than to learn more about the system) is that
my boss said that the reason we have not implemented the network sensors is
that they cause too much traffic on the network, which contradicts what I
understand. So, I guess the big question as to whether or not the Network
Sensor causing traffic problems on the network. Any help is greatly
appreaciated.
Regards,
Jim Mohr
ELAXY Brokerage & Trading GmbH & Co KG
_________________________________
James Mohr
Systembetrieb
Am Hofbr�uhaus 1
96450 Coburg
Germany
Fon +49 (0) 95 61.55 43.0
Fax +49 (0) 95 61.55 43.302
E-Mail: [EMAIL PROTECTED]
---------------------------------------
"Be more concerned with your character than with your
reputation. Your character is what you really are while
your reputation is merely what others think you are." --
John Wooden
---------------------------------------
Be sure to visit the Linux Tutorial:
http://www.linux-tutorial.info
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
