If the Internet connection was not carrier grade, i.e. <= 100Mbit, why not use a hub or just a crossover cable plus a tap? No mirroring required, no overrun issues etc.
The same goes for the firewall inside interface(s), those connecting to the DMZ. Unless you plan on mirroring all DMZ ports, you wouldn't see intra-DMZ traffic anyway. -----Original Message----- From: Kinnee, Erick [mailto:kinneee@;ci.fort-worth.tx.us] Sent: 14 November 2002 18:51 To: as dsf Cc: [EMAIL PROTECTED] Subject: RE: [ISSForum] Basic IDS Deployment Questions The setup that I chose when faced with almost this EXACT layout was, put a switch between FW and Router. Mirror router port, put IDS in stealth mode on that port. Since you are mirroring the router port you can see everything that comes and goes on the Internet. Later on I will be placing another sensor in the DMZ, with a mirrored port for the FW. You can then tune to look at things originating from the DMZ or some such. Erick Kinnee Network Engineer City of Fort Worth, Texas Desk 817.871.6839 Cell 817.929.0995 -----Original Message----- From: Rowton, Mitchell [mailto:Mitchell.Rowton@;mail.drms.dla.mil] Sent: Wednesday, November 13, 2002 10:51 AM To: 'as dsf' Cc: '[EMAIL PROTECTED]' Subject: RE: [ISSForum] Basic IDS Deployment Questions a bit of input for one part of your question... If you mirror every port in the switch then you can monitor trafic to and from internal machines, if you only mirror the firewall port then you will only monitor the traffic leaving the network (to its default GW) -----Original Message----- From: as dsf [mailto:xpidissii@;yahoo.com] Sent: Wednesday, November 13, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Basic IDS Deployment Questions It happens that I am currently discussing a implementation where I have a basic deployment of Checkpoint Fw-1: (Internet) + Router + Firewall + + - - - - +- - - - -+ + + (TrustedZone-Switch) (DMZ-Switch) There's a firewall interface in every zone , that's in every switch dedicated to each security zone.Each of the switches is a Gigabit switch, with servers connected to them with gigabit nics.IDS implementation involves configuring an IDS Network Sensor in every zone (Tz,Dmz,Public Zone)Questions:1.Mirroring:Is it enough to mirror Firewall Interface on Network Sensor for each zone or all of the ports in a given switch.For instance, for DMZ switch with 10 servers connected to it, should I mirror only the firewall interface to DMZ-network sensor or should I mirror all the 10 ports to it?Obviously , every server has one of the firewall interface as default gateway.2.What if set up network sensor with a 100FullDuplex interface, is there any great chance nbetwork sensor drop a huge amount of packets? Has anyone estimated this loss of capture by network sensor?JaimeO. __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
