|
Dant,
Portsentry only mitigates the problem, doesn't solve it. Also, it's not
something that should be implemented on the LVS. Also having a NIDS on
the director is a bit suboptimal, since a IDS should at best not be
detectable and should also be in read-only mode. Either put a second box
between the networks you need to sniff, preferrably in bridge mode or
modify your network cables by removing the TX part, so only receiving is
possible. Both suggestions don't work well with a director.
On the modifying-network-cables-for-IDS part:
http://www.snort.org/docs/tap/
While we're touching on this subject here, what kind of a NIDS do people
use inside an LVS setup, and how can it be implemented? This is
interesting.
There's nothing special about LVS that would require a different
approach to NIDS, so this is more a general question off how to deploy
IDS; and this, I'm afraid, is subject to personal views. I don't know on
which level you plan on deploying IDS, but a good starter is the Snort
documentation corner, which can be found at:
http://www.snort.org/docs/
Especially interesting is the IDS load balancer. I've talked to Marty
about load balancing traffic to multiple IDS nodes to share the load in
2001 I think, however I don't remember what our consensus was.
Other than that you'd have to be a bit more specific. I'd be glad to
help, although I've left the IDS field 2-3 years ago. One of the reason
is that with the Basel II and the Sarbanes-Oxley acts [1] you barely
can't allow yourself anymore to "lose" data, which in the sense of IDS
translates to either "false positives" or "true negatives". Since the
two items mentioned are a general issue of IDS systems, that require
highly skilled personnel, other means to acquire the demanded level of
security quality management have to be found, for example: reliable
logging and monitoring, on top of a well-thought and implemented
security policy.
[1] http://www.aicpa.org/sarbanes/index.asp
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
|
