You make a good point about the utilization. It just occurred to me that it may be preferable to overload a sensor by feeding it too many packets, rather than dropping packets in a switch somewhere because aggregate bandwidth exceeds the sensor port.
That way, at least you can tell from the sensor if it is keeling over and you are loosing packets. If the infrastructure was silently dropping packets you'd probably only know or infer overload from periodic samples. -----Original Message----- From: Birol Ertekin [mailto:birol@;etcnetworks.com] Sent: 14 November 2002 16:28 To: Rowton, Mitchell; as dsf Cc: [EMAIL PROTECTED] Subject: RE: [ISSForum] Basic IDS Deployment Questions It all depends on your network utilization. Even you connected the server to Gigabit ports does not mean they work at Gigabit speed, you have to find out the utilization. If all ports are running over 100 mbps , even you have the Gigabit Sensor, it will drop some of the packets. Then best way for this scneario is to mirror only the firewall port, or to use network taps. If all ports are running a few mbps not exceeding 10 mbps or the network overall utilization is at most 67-70 mbps at a time( which is pretty normal as most of the organizations' bottleneck is the internet conection - if the servers in the DMZ are not utilized by internal users-) then you can mirror all the ports even with a 100 mbps IDS. Mirroring all ports will enable you to monitor internal traffic on that network, but for all the attacks in and out of that network you'll see the attack twice in the IDS logs as you mirror both the server and the firewall. The log database will filled up twice faster then just monitoring the firewall, as most of the attacks will be in and out of that network. Birol Ertekin Network Security Engineer, /etc/networks inc. -----Original Message----- From: Rowton, Mitchell [mailto:Mitchell.Rowton@;mail.drms.dla.mil] Sent: Wednesday, November 13, 2002 8:51 AM To: 'as dsf' Cc: '[EMAIL PROTECTED]' Subject: RE: [ISSForum] Basic IDS Deployment Questions a bit of input for one part of your question... If you mirror every port in the switch then you can monitor trafic to and from internal machines, if you only mirror the firewall port then you will only monitor the traffic leaving the network (to its default GW) -----Original Message----- From: as dsf [mailto:xpidissii@;yahoo.com] Sent: Wednesday, November 13, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Basic IDS Deployment Questions It happens that I am currently discussing a implementation where I have a basic deployment of Checkpoint Fw-1: (Internet) + Router + Firewall + + - - - - +- - - - -+ + + (TrustedZone-Switch) (DMZ-Switch) There's a firewall interface in every zone , that's in every switch dedicated to each security zone.Each of the switches is a Gigabit switch, with servers connected to them with gigabit nics.IDS implementation involves configuring an IDS Network Sensor in every zone (Tz,Dmz,Public Zone)Questions:1.Mirroring:Is it enough to mirror Firewall Interface on Network Sensor for each zone or all of the ports in a given switch.For instance, for DMZ switch with 10 servers connected to it, should I mirror only the firewall interface to DMZ-network sensor or should I mirror all the 10 ports to it?Obviously , every server has one of the firewall interface as default gateway.2.What if set up network sensor with a 100FullDuplex interface, is there any great chance nbetwork sensor drop a huge amount of packets? Has anyone estimated this loss of capture by network sensor?JaimeO. __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
