'RE: interface-mirroring on a server'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    RE: interface-mirroring on a server
From:       "sstover" <sstover () enterasys ! com>
Date:       2003-01-22 14:16:24
[Download RAW message or body]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Perhaps I'm misunderstanding your configuration, but would a tap fit your solution?  \
There are a number of IDSs that can connect directly to tapped output which means all \
you need (other than the sensor) is the tap.

Does that solve your problem?

- -- 

Samuel f. Stover
sstover@enterasys.com


- -----Original Message-----
From: detmar.liesen@lds.nrw.de [mailto:detmar.liesen@lds.nrw.de] 
Sent: Friday, January 10, 2003 3:39 AM
To: focus-ids@securityfocus.com
Subject: interface-mirroring on a server

Hi,
I have a VPN-gateway that acts as an intermediate gw for a site-to-site vpn:

[gw1] --> [public-net] --> [gw2] --> [private-net] --> [gw3]

The gw1 is out of my reach, regarding administration and surveillance, so I want
to run an IDS against the data
that runs through the tunnel on gw2.

This is possible, because I can sniff on the internal interface that connects
the IPSec-layer to the normal IP stack on gw2,
which is a linux-box.

However, I don't want to run an IDS on the VPN-box itself, because the box is
loaded enough with encrypting and decrypting packets.

Can I somehow create a mirror on the internal interface, 
i.e. copy all packets from the internal interface to a dedicated NIC which is
connected to an IDS?

I have thought about checking out the linux bridging drivers, but I think with
this software you can only send all packets from all NICs
to all other NICs but not selectively mirror packets.

What I need is something equivalent to a switch-mirror-port but for a
linux-server.

Is that feasible? Has anybody tried something like that before?

Thanks for your help.

Greetings,

Detmar Liesen


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPi6mxypfzk4ryK10EQIakgCg635P0ugHXl3p6ueURvpgnPm80z0AmgIZ
6C14QB6qdj8kZYlzS1wXkBO0
=W7f/
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic