Hello Listers.
I was wondering how to implement a somehwat transparent IDS, our planned
setup looks somewhat like this:
|uplink|
|| ||
|firewall|----|replicate of firewall|
\ /
\ /
|IDS |
|----|
Internal stuff here (ps those are routed IP,
production server etc)
I was wonderin if it is possible to implment an IDS behind the
firewalls, that is completrely transparent to the traffic that passes
through it. Now, as for the TTL value of packets, I can increment those
values in the output with IPtables, therefore that is not a problem, are
there other things I will have to have a look at?
What about bridging, would that be somewhat of a choice? Or, what about
fast forwarding between interfaces, as mentioned int he Linux Kernel
compile options, or do the packets not traverese the stack then?
The IDS will have 3 interfaces. 1 Gigabit Interface and 2 100 Mbit
interfaces, 1 for the uplink, 1 for the admin net and 1 gibait linkt to
a cisco 3500 XL.
I am grateful for _any_ ideas. Thank you!
--
Don't walk in front of me, I may not follow.
Don't walk behind me, I may not lead.
Just walk beside me and be my friend.
~ Albert Camus ~
