Hi Trav, Put this together a while back to detail how to do this with a number of vendor switches http://www.securitywizardry.com/switch.htm The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN's onto a single port. This function has a multitude of names including; Port Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port. Generally Port Mirroring usually indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port. Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port. In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets. It may also be worth looking at Network Taps which allow you to tap into a network, taking a parallel feed for the Network IDS
Regards Andy Cuff Managing Director / CEO Computer Network Defence Ltd www.SecurityWizardry.com Tel 0870 321 9014 Mob 0701 070 9014 International +44 1225 811777 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: 08 February 2007 18:04 > To: [email protected] > Subject: IPS and Trunking > > Cisco has a great feature where I can configure all traffic > on a switch to go to a trunk port, plug in the IPS/IDS to the > trunk port and see all traffic. Can other vendors, such as > Sourcefire, TippingPoint, ISS do this? > > Thanks, > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world > attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impa > ct&campaign=intro_sfw > to learn more. > -------------------------------------------------------------- > ---------- > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
