TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
The problems wth port mirroring I was referring to are primarily:
1. The switch will constrain all traffic bound for your monitored port (probably your
DMZ or internal network) by the speed of your "monitoring" device (i.e the RS engine).
This is the problem Brian Laing has noted, and was discussed on this list about 1 year
ago. It is primarily a problem for networks with very heavy traffic, or with
relatively
slower monitoring devices that can't take the traffic at the same speed as the
monitored
devices/networks. I have seen some promiscuous mode analyzers drop frames when they
were overloaded.
2. Your switch will likely transform some bad packets when they come in the monitored
port, and go out the monitoring port. For example, I have seen bad frames come in on
given port, but the switch cleaned them so they appeared "good" when they went out
through the mirrored port to the analyzer. This is primarily an issue when you're
doing
network troubleshooting, but conceptually could apply to security attacks as well (DOS
attacks??).
I'm not saying that port mirroring is an invalid technique, but because of these
issues,
we prefer to use network taps, like Shomiti's.
--------------------------------------------------
Ray Honeycutt 919.779.3055 Voice
President 919.779.3464 Fax
HCS Systems Inc. www.hcssystems.com
Suite E [EMAIL PROTECTED]
1428 Aversboro Rd.
Garner NC 27529, USA
