+ Reply to Thread
Page 2 of 2 First 12
Results 26 to 29 of 29
  1. Coffee anyone? rossonieri#1's Avatar
    Join Date
    Jun 2003
    Posts
    800

    Certifications
    a few...
    #26
    there are kind of firewall/IDS/IDP mode :
    - transparent bridging : where you have 2 NIC with no IPs and the appliance will be work in sniffing/IDS mode ( just to catch what kind of traffic running in your net and trigger the alarm)
    - bridging : basic 2 or more NIC with same subnet and do just the same with transparent bridging.
    - routing : where 2 NIC with 2 IP probably just basic firewall with NAT/gateway mode.
    - proxy arp : PAT mode.
    very depend on where you get the information of setting up your IDP/IDS/FW.

    and about deep inspection/stateful firewall is a term to define the capabilty of the device to work/examines traffic in what layer :
    - transparent bridging/bridging work in layer 1-2
    - routing in layer 3-4
    - proxy arp can work in layer 4 to 7 to determine the pattern of the traffic passing the device.
    Reply With Quote Quote  

  2. SS -->
  3. Junior Member
    Join Date
    May 2005
    Posts
    2
    #27
    Quote Originally Posted by jdmurray
    The only part I'm not sure how to do under Linux is insert Snort between the two interfaces. There must be a HOW-TO on snort.org that explains this configuration.
    .
    Im not to sure what kind of switch you are using, but if you put the port in monitor mode it should show you all the traffic associated with the network. I have some success using a Cisco 3500 and a Single Windows Box running snort with a Gigabit card to avoid bottlenecking.

    Good Luck
    Reply With Quote Quote  

  4. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,615
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #28
    Not a proper switch appliance. I was referring to using a Linux box as a network gateway and having Snort sniff the packets routed between two (or more) NICs in the box.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  5. Coffee anyone? rossonieri#1's Avatar
    Join Date
    Jun 2003
    Posts
    800

    Certifications
    a few...
    #29
    Quote Originally Posted by lspahn

    Im not to sure what kind of switch you are using, but if you put the port in monitor mode it should show you all the traffic associated with the network. I have some success using a Cisco 3500 and a Single Windows Box running snort with a Gigabit card to avoid bottlenecking.

    Good Luck
    what cause you a bottleneck when your box only monitor traffic/sniffing mode?

    i agree with jdmurray - to use 2 or more NIC in gateway mode to process the traffic instead only examine what is passing thru the net.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 2 First 12

Social Networking & Bookmarks