regarding Back bone network

Mon Apr 7 23:37:30 PDT 2003

Hi,

I assume that these "specialists" are simply pointing out to the fact that if 
the network-based IDS system is using the very network it is monitoring (the 
"backbone network" ?) for its internal communication purposes, then it might 
be silenced or otherwise hindered by a skillful attacker...
Thus, if your budget allows it, it is way better to have a separate (secure) 
"control network". Your NIDS sensors are then connected in "read-only" 
sniffer mode to the operational network, while they communicate with each 
other or with the main IDS server through this control network. Please note 
that "active-response"  NIDS'es will require full read/write access to the 
operational network as well.
The regular network will just be whatever it happens to be, -- TCP/IP or 
other, -- but you're essentially free to decide what kind of control network 
you want to set up. A non-TCP/IP network might be harder to break in as the 
attacker might not be as familiar with it, but it would not be wise to 
simply rely on this ! A TCP/IP network will be much easier to set up and you 
won't have much trouble configuring your sensors for it.

Good luck,

Olivier.

On Tuesday 08 April 2003 06:44 am, Mayank-Bhatnagar wrote:
> hi all,
>
> Well this doubt is certainly not specific to any IDS but I just wanted to
> put it to our Bro community.
>
> In IDS scenario, we say that the sensors and main IDS server when deployed
> communicate with  each other. Now there is a special term known as
> "backbone network" about which specialists say that the IDS does not rely
> on the underlyting network, so that attackers cannot compromise upon the
> messages transferred by IDS syatem.
>
> What could be this back bone network.....it seems to be different from the
> normal TCP/IP...or is it same and a different technique used .....
>
> Can anyone throw some light on this topic?
>
> Thanks and regards,
>
> Mayank Bhatnagar
> National Centre for Software Technology,
> Bangalore, India.