TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I recommend that you consider using the Intel PRO/100
(or Pro/1000) Server Adapters in what they call
"teaming" mode. This will let you aggregate the
traffic from both taps into one stream as seem by
RealSecure. You can team up to 4 adapters (two
bidirectional sources).
Another approach is to use the advanced spanning
capabilities of many layer 2 ethernet switches.
Gary
> -----Original Message-----
> From: Fransen, F. [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 02, 2000 2:15 AM
> To: '[EMAIL PROTECTED]'
> Subject: Q: RealSecure and ethernet tap
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> with any problems!
> --------------------------------------------------------------
> --------------
>
> Hello,
>
> We are going to use Real Secure Network Sensor incombination with an
> ethernet tap-box. Such a device has two output interfaces.
> See figure. The
> output C gives a copy of the traffic that flows from the switch to the
> router (C = traffic B->C) and output D gives a copy of the
> traffic flowing
> from the router to the switch (so D = A->B).
> --------------
> A | Ethernet | B
> Router -----------| Tap |---------- switch
> | Box |
> ----| |---
> |C -------------- |D = traffic from A to B (inbound
> traffic)
> | |
> \/
> to IDS
>
> If we hook up Real Secure to one output (D) of the Tap, we
> can only monitor
> the inbound traffic. Since Real Secure only sees packets
> going into the
> network certain attacks can't be detected. I know of the
> following three
> attacks: unanswered ARP's, IPduplicate and Synflood.
> Are there any other attacks that won't be detected?
>
> Thanks,
>
> Frank
>
> P.S. I am familiar with the option to combine output C and D
> with a VLAN
> switch.
>
>
>
