We're looking into Tippingpoint, and they stated that sometime in March they will be releasing an update that will allow separate policies per VLAN. If connected to a trunk port, you'd be able apply a separate policy for each VLAN passing through the device.
I think the original question relates to the Cisco IPS' ability to route 802.1Q traffic, so logically, the IPS is in-line as opposed to listening on a mirror port. Here's a link to more info on the subject: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configura tion_example09186a0080671a8d.shtml I would also be interested in hearing more on this topic. Andy Michaelson, CISSP, SnortCP Sr. Security Analyst Pinellas County Government -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Hines Sent: Thursday, February 08, 2007 6:00 PM To: Andrew Plato Cc: [EMAIL PROTECTED]; [email protected] Subject: Re: IPS and Trunking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trav_2: You're talking about two separate things. 1) Cisco is a switch and you're talking about a mirror/span port. Though, network taps > Span ports :) 2) Its not the IDS/IPS that is performing that capability, its the switch. So its inaccurate to ask if the IDS/IPS vendors you mentioned can do the same thing. A span port doesn't care whats hooked up to it, whether its Snort or a sniffer. Hope this helps. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 Fax: (847) 854-5106 Cell: (847) 456-6785 Web: www.appliedwatch.com Andrew Plato wrote: > If you create a mirror port and plug in any IPS/IDS, it will see the > traffic. TippingPoint, ISS, etc. All can do that. > > Also, pretty much any decent managed switch can have mirror ports. > This is not unique to Cisco. > > Keep in mind, you cannot do real-time IPS (intrusion prevention) in > any reliable manner this way. You have to be IN-LINE to do real-time > blocking and filtering. Passive monitoring off a mirror port only > allows you to send RSTs to stop stuff, and that is not a very reliable > way to block bad stuff. > > ___________________________________ > Andrew Plato, CISSP, CISM > President/Principal Consultant > Anitian Enterprise Security > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: Monday, February 05, 2007 10:44 AM > To: [email protected] > Subject: IPS and Trunking > > Cisco has a great feature where I can configure all traffic on a > switch to go to a trunk port, plug in the IPS/IDS to the trunk port > and see all traffic. Can other vendors, such as Sourcefire, > TippingPoint, ISS do this? > > Thanks, > > ---------------------------------------------------------------------- > -- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campa > ig > n=intro_sfw > to learn more. > ---------------------------------------------------------------------- > -- > > > > ---------------------------------------------------------------------- > -- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campa > ign=intro_sfw > to learn more. > ---------------------------------------------------------------------- > -- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFy6t31va6QYTV0EMRAuSkAJ4+1WTm+ugpOAK4Ghzv8ooYyFYi1gCfSC69 cXQfDMCJ7O14l+ZnE/lpTsY= =ego2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
