Inline vs Passive IPS/IDS questions

JohnnyBigglesJohnnyBiggles Member Posts: 273
We're testing IPS/IDS systems and there is a virtual appliance available that we've set up. We have multiple subnets on our network but all terminate at our firewall to exit out to the internet (although a few of them have their own gateway router before they converge at this firewall). We currently have it set up on an ESXi host that is connected physically on one of those subnets (one that connects directly to the main firewall/router). The vSwitch in ESXi is set to promiscuous mode and we set it to run for a few days, but the tech guys doing the demo said there wasn't a lot of traffic displayed and many of the reporting/analysis areas showed no data. However, it did show hosts from all of the networks except one, and it did gather some information, so I assumed that maybe we just don't generate a whole heap of traffic and there were no intrusions to report on. It's a small office (~50 or so people and several servers/devices). I have a few questions for those who are more familiar with IPS/IDS devices and networking:

1. I was under the impression that for a 'passive' mode sensor, port mirroring would be necessary to collect info about traffic going into and around our network. Is this true or will promiscuous mode suffice? The ESXi host the VM sensor is running on is connected to a small switch before another switch that connects to the firewall. Will this make any difference how much or what information it receives?

2. For inline IPS/IDS, in our scenario, where would be the best place to place an inline sensor(virtual or physical)?

Any assistance would be great.

Comments

  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    1. Right - For a device not inline, you'll have to get the traffic to the sensor somehow. Put the sensor's nic in promiscuous mode and you have a few options to feed it traffic:

    1. Use a hub
    2. Use a switch with a mirror port
    3. Use a tap

    I won't get into the limitations of some of the devices above, because that's not what you're asking about.

    2. Placement depends on what your goals are. Monitoring and storing 'everything' is not possible much of the time. In that case someone like Richard Bejtlich would say to place the taps in areas that suffer the greatest risk.

    Tap'ing outside of the firewall would be great for TI or if you have a policy to block even those who 'poke' at your network externally. Otherwise placing taps behind the firewall will be much less noisy for analysts. Once again you'll want to determine what the goals are and go from there.
Sign In or Register to comment.