Hub connected to Cable modem?

[Dooling37]

Hi all,

Forgive me if this is a stupid question, but it's late (and I couldn't think of good search terms to find any previous answers to this question)...

Basically, I want to know if I can connect a hub (yes, a hub, *not* a switch) directly to my cable modem, with two systems attached to it.
I would like to have an old system with Snort IDS installed off one hub port, and my wireless router off another (with all other systems on the home network behind the wireless router). The idea being that the IDS will see & alert on ALL inbound & outbound traffic from/to Internet, before any filtering takes place, while all other systems are (somewhat) protected behind wireless router.

I initially assumed that this would not be possible because both the IDS and wireless router would try to obtain an IP address from the cable modem, and my ISP will not allow me to have two IPs (presumably). However, I remember reading in the past that a system can be set up without an IP address -- so the IDS could passively receive network traffic, but not be able to be directly communicated with. Would this resolve the issue of two systems each attempting to get an IP from the ISP?

Roughly:
ISP/Internet
|
Cable modem
|
Hub -- IDS (no IP)
|
Wireless router
| | | |
Internal systems

Any other issues? Is this possible at all?


Thanks greatly, in advance, for your help...

 

[ScottMac]

I'm pretty sure that would work.

The NIC has to support "promiscuous mode" (i.e., accept frames to MACs other than its own).

Also, the only place you'd see an alert is on this machine, since it doesn't have an address, it can't send or receive.

Keep in mind that hubs will all be 10Meg, half duplex, not a problem, but you may need to hard-code the IDS and router.

If you add an additional NIC to the IDS that connects behind the router/firewall, it could transmit the alerts to the LAN or other networks. Since it's connected behind the router/firewall, it would be as protected as any of the other machine on your network.

 

[Dooling37]

Thank you for the response -- I'm hopeful it'll work.

I'm going with the hub setup off the cable modem rather than directly connecting an inline IDS system b/c I'm not confident enough (yet) that I can secure a machine against attacks without any filtering protection in front of it. It will be a bit inconvenient to only be able to view alerts on that physical system -- but I don't want to risk another connection from the IDS to my internal network, for security reasons. I'm thinking about trying to set up the IDS in VM instance on the system (so it could easily be trashed / restarted if compromised), but I'm not sure if a VM ethernet instance could be set in promiscuous mode, without an IP address address. Something to look into...

Originally posted by: ScottMac
Keep in mind that hubs will all be 10Meg, half duplex, not a problem, but you may need to hard-code the IDS and router.

Honestly I did kind of forget that the hub would be 10M, half duplex -- will this noticeably decrease my internet connection speed for internal hosts, do you think? I have 10Mbps d/l cable service.
Also, could you explain what you mean by 'hard-code the IDS and router'? Hard-code MACs? IPs? Where?


thanks much,
Bob

 

[drebo]

You can get 10/100 hubs.

Honestly, you should look in to a firewall that offers IDS rather than this solution.

 

[Dooling37]

Originally posted by: drebo
You can get 10/100 hubs.

Honestly, you should look in to a firewall that offers IDS rather than this solution.

Unfortunately the only hub I've found, anywhere, is a 10Mb hub from BB: 10Mb hub link

Also, my criteria for the IDS are, basically: (1) open source ruleset, (2) free or at least very cheap. I'm not aware of any FW-IDS solutions that match these criteria... please let me know if I'm missing any...

thanks,
Bob

 

[drebo]

Probably not what you want to pay, but it is what it is: http://www.newegg.com/Product/...x?Item=N82E16817111134

Also, must not be a very high-priority/important thing to run this IDS if you're crippling yourself like that. Is this a hobbyist endeavor?

 

[Dooling37]

Originally posted by: drebo
Probably not what you want to pay, but it is what it is: http://www.newegg.com/Product/...x?Item=N82E16817111134

Also, must not be a very high-priority/important thing to run this IDS if you're crippling yourself like that. Is this a hobbyist endeavor?

Thanks for the link -- but yeah, I should've mentioned before that this is a hobbyist / educational endeavor, so cost is, unfortunately, very much a factor.

I'll probably test internet connection speeds before & after setting up the 10Mb hub off the cable modem, and abandon the plan if there's a noticeable decrease.. ; )

 

[mcmilljb]

Originally posted by: drebo
Probably not what you want to pay, but it is what it is: http://www.newegg.com/Product/...x?Item=N82E16817111134

Also, must not be a very high-priority/important thing to run this IDS if you're crippling yourself like that. Is this a hobbyist endeavor?

How about enabling SPAN on a cheap, used Cisco 2950 - 12 port switch? It can be had easily for under $100 on ebay, and you get 10/100 switched.

 

[Dooling37]

Originally posted by: mcmilljb

How about enabling SPAN on a cheap, used Cisco 2950 - 12 port switch? It can be had easily for under $100 on ebay, and you get 10/100 switched.

Great idea -- I'd never considered it because I've never enabled a SPAN port on a switch. Actually, I've never utilized any functionality on any managed switch. Are Cisco 2950s the lowest-end models (that still include SPAN capability)? Are they easy to configure? (I have very limited hands-on experience with Cisco products, and even that is with old school Pix, mostly GUI..)

I will definitely look into this. So much more to learn, but it seems like a very good option...

 

[mcmilljb]

I don't know about the cheapest model that supports SPAN. You can read more about it here. I don't see a requirement for having an EI image, so the SI should support it.

*edit*
I take that back. I believe a 2900XL is cheaper.

 

[dandragonrage]

Hubs have simply become uncommon because switches have all but replaced them.

 

[drebo]

Right, but a common switch will not allow him to accomplish what he needs to do. By design, a switch filters traffic based on which switch port the destination host is connected to, and will only send the packet out that port. A hub, by design, always sends all packets out all ports, allowing him to capture them.

 

[dandragonrage]

Indeed...

 

[ScottMac]

Originally posted by: Dooling37
Thank you for the response -- I'm hopeful it'll work.

I'm going with the hub setup off the cable modem rather than directly connecting an inline IDS system b/c I'm not confident enough (yet) that I can secure a machine against attacks without any filtering protection in front of it. It will be a bit inconvenient to only be able to view alerts on that physical system -- but I don't want to risk another connection from the IDS to my internal network, for security reasons. I'm thinking about trying to set up the IDS in VM instance on the system (so it could easily be trashed / restarted if compromised), but I'm not sure if a VM ethernet instance could be set in promiscuous mode, without an IP address address. Something to look into...

Originally posted by: ScottMac
Keep in mind that hubs will all be 10Meg, half duplex, not a problem, but you may need to hard-code the IDS and router.

Honestly I did kind of forget that the hub would be 10M, half duplex -- will this noticeably decrease my internet connection speed for internal hosts, do you think? I have 10Mbps d/l cable service.
Also, could you explain what you mean by 'hard-code the IDS and router'? Hard-code MACs? IPs? Where?


thanks much,
Bob

Instead of letting the hub / router / NIC automatically determine the speed & duplex, manually change the settings to ensure they set properly. Hubs happened before things like auto-speed and auto-duplex, and depending on the (jillions of) various combinations, "auto speed|duplex" (probably) may not work. Hard set the speed and duplex for each interface.

You may also want to research a little rel;ating to performance levels of the various software. It's not uncommon for an IDS to restrict packet flow (bottleneck) because of deep packet inspection. For the (Much Much) more expensive IDS systems, a lot of it is handled in hardware and purpose-built systems (Hardware, Firmware, software). Adapted PCs and other software-based IDS are not well-optimized (i.e., how can you optimize with all of the possible configurations?).

Since this is just for your education, its probably not a big deal, but you should be aware of the performance impact, especially in a pass-through system.


DREBO: 10/100 hubs suck so bad that saying they suck is an insult to hubs & switches that merely suck. The buffering that must occur between the 100->10 interfaces really jacks up things like head-of-the-line, broadcasts & multicasts. They had a place in the biz, for about six months about ten years ago ... otherwise, they might make decent wheel chocks for vehicles with really small tires; they are useless for anything that would require them to be powered on..


Good Luck
Scott

 

[Dooling37]

Originally posted by: ScottMac

Instead of letting the hub / router / NIC automatically determine the speed & duplex, manually change the settings to ensure they set properly. Hubs happened before things like auto-speed and auto-duplex, and depending on the (jillions of) various combinations, "auto speed|duplex" (probably) may not work. Hard set the speed and duplex for each interface.

Thanks again for all of the feedback. I'll look into hard-coding speed & duplex info for interfaces, as needed.


cheers,
Bob