TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Gentlemen,
Has anyone tried using a tap in-line and running the analyzer ports out to
a switch? Than have the switch mirror the ports to get 100mb FD?
Just an idea.
Al Wever
"Luff, Darryl" <[EMAIL PROTECTED]>@iss.net on 12/13/99 10:38:59 PM
Sent by: [EMAIL PROTECTED]
To: "Bridge, Jim" <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: RE: Switched network
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Ethernet hubs operate as repeaters, they copy traffic as it is received
with
only a tiny delay (less than 1uS). Switches need to read past the 64-bit
preamble, then buffer at least the 48-bit destination MAC address before
they can start forwarding the packet (112bits = around 11uS at 10M). The
throughput is the same, but the transit delay is less with repeaters.
Anyway, it's not enough to make much difference. I was just saying that you
don't need to automatically discount using a hub, they can be used as long
as you look at how the traffic is flowing. The main disadvantage of
inserting a hub if the link is busy is the loss of full-duplex operation.
Darryl.
> -----Original Message-----
> From: Bridge, Jim [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, December 11, 1999 6:59 AM
> To: 'Luff, Darryl'; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Switched network
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
>
--------------------------------------------------------------------------
> --
>
> You are mixing terminology here. Ethernet? Token Ring? or any other? A
Hub
> (what speed) is not "faster" than a Switch (what speed), unless the hub
is
> 100 and has only one device connected to the backbone, and the switch is
a
> 10bT device.
>
> Jim
>
> -----Original Message-----
> From: Luff, Darryl [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 06, 1999 10:58 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Switched network
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
>
--------------------------------------------------------------------------
> --
>
> A hub isn't necessarily bad, it depends where the traffic's going. The
hub
> actually forwards packets faster than a switch (less latency). The switch
> gets it's performance by allowing multiple conversations to carry on in
> parallel.
>
> If you're monitoring a point-to-point link between a firewall and a
> switch,
> inserting a hub wont make much difference to performance. The traffic is
> the
> same (barring traffic generated by the monitor itself, which is hopefully
> fairly light).
>
> Even on something like a DMZ with multiple servers, where practically all
> traffic is between the firewall port and one or the other of the servers,
> a
> switch doesn't help performance much because all traffic is still queued
> up
> for the single port the firewall is connected to. In this case replacing
> the
> switch with a hub shouldn't make much difference - only one machine can
> talk
> to the firewall at a time anyway.
>
> Where switches do work well is on segments with multiple hosts, where
> traffic flows in a mesh between many pairs of hosts. Here the switch is
> providing a big performance improvement by isolating conversations
between
> different pairs of hosts. Replacing this switch with a hub would increase
> the utilisation on the segment, and so probably cause increased
collisions
> and poor performance.
>
> Darryl
>
> > -----Original Message-----
> > From: Ray Honeycutt (HCS) [SMTP:[EMAIL PROTECTED]]
> > Sent: Saturday, December 04, 1999 8:47 AM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Switched network
> >
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message
> > to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> > problems!
> >
>
--------------------------------------------------------------------------
> > --
> >
> > I assume you would not recommend using a hub for performance reasons??
> If
> > we use the
> > network tap approach, do you know of particular hardware vendors that
> are
> > recommended?
> >
> > Brian Laing wrote:
> >
> > >
> > > Istvan,
> > >
> > > To implement IDS into a switched environment careful
attention
> > needs to be
> > > spent examining the flow of traffic, and once that is known more time
> > spent
> > > on how much of that traffic you wish to see. Once you know that
where
> > to
> > > place the IDS is much simpler.
> > > The main targets points for monitoring in a switched
> > environment,
> > are
> > > between switches, routers and individual machines. You can use any of
> > the
> > > following methods to monitor these connections. If your switch
> supports
> > > mirroring or spanning of ports you can copy the traffic from the
> target
> > port
> > > to your IDS on another port. Another solution is the use of network
> > taps.
> > > A tap is a hardware device that can be inserted between two
> connections,
> > and
> > > copy the traffic off to your IDS. You could also use a Hub instead
of
> a
> > tap
> > > in some solutions but I would not recommend it.
> > >
> > > Brian
> >
> > --------------------------------------------------------
> > Ray Honeycutt 919.779.3055 Voice
> > President 919.779.3464 Fax
> > HCS Systems Inc. www.hcssystems.com
> > 4470 Zacks Mill Rd. [EMAIL PROTECTED]
> > Angier NC 27501, USA
> >
