In scenarios where we need to monitor multiple segments with a single
Network Sensor, you may want to look into and IDS Loadbalancer, such as the
one from Toplayer. It does a very good job even in Asynchronous Routing
situations. The flexibility of it allows you to monitor multiple Segments
and if you wish to balance that across multiple sensors (either for
failover or traffic load.) Another interesting option is the ability to
choose which "type" of traffic so send to a specific sensor which is really
good for Sensor tuning. Such as having one Network Sensor receive all HTTP
traffic (and enable only the HTTP events on the box) and send all other
traffic to another sensor (with all other events enabled.)
Bill Schawo | Accenture | ATIS Information Security
ISIRT - Infrastructure Security Incident Response Team
[EMAIL PROTECTED] | MSN IM: [EMAIL PROTECTED]
Phone: 312.693.2295 | Fax: 312.652.2295 | Octel: 68/32295
161 N. Clark, Chicago, IL 60601 | PGP Key ID: 0xD77ADC3D
PGP Fingerprint: FD38 A5FC EE8A C732 BF98 CFA8 0BF6 C65A D77A DC3D
"Avi Ganon"
<[EMAIL PROTECTED]> To: "Don Goldstein"
<[EMAIL PROTECTED]>
Sent by: cc: [EMAIL PROTECTED]
[EMAIL PROTECTED] Subject: RE: [ISSForum] Real secure in
full cluster environment.
01/16/2003 06:15 AM
Hi don,
Thanks for replying.
We are using Stonebeat full cluster and its o.k
I am looking for a solution to monitoring three segment for the lan network
with one sensor.
The first thing coming up is connect it to a switch and mirror all segment
traffic to the ids port.
The problem with this solution is the spanning tree on the switch.
If you disable the spanning tree on the switch it's hangs.
So for now I am working with hub but I am losing information.
Thanks
Best Regards
Avi Ganon
Information Security
Tel: 972-9-9614540
Cell: 972-58-741717
-----Original Message-----
From: Don Goldstein [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 21:40
To: Avi Ganon
Subject: RE: [ISSForum] Real secure in full cluster environment.
Shalom Alechem. We did it. We had it running for a few years.
Stonebeat works great once you set it up but it is VERY difficult to
set up. I would recommend avoiding it.
-----Original Message-----
From: Avi Ganon [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 7:45 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Real secure in full cluster environment.
Hi all,
Could someone provide me their opinions based on their own
experiences with implementing Real Secure in
Stone Beat Full Cluster environment:
For example: three fw1 in cluster, three interfaces for each
segment , LAN , dmz, etc...
I'm not using span port instead I'm using Shomiti Taps.
How I can monitor all traffic for the LAN network with only one
network sensor for three LAN interfaces?
Thanks
Best Regards
Avi Ganon
Information Security
Tel: 972-9-9614540
Cell: 972-58-741717
---------------------------------------------------------------------------------------------------------------
This e-mail message may contain confidential, commercial and privileged
information or data that constitute proprietary information of Cellcom
Israel Ltd. Any review or distribution by others is strictly prohibited. If
you are not the intended recipient you are hereby notified that any use of
this information or data by any other person is absolutely prohibited. If
you are not the intended recipient, please delete all copies and contact us
by e-mailing to: [EMAIL PROTECTED]
Thank You.
---------------------------------------------------------------------------------------------------------------
This e-mail message may contain confidential, commercial and privileged
information or data that constitute proprietary information of Cellcom
Israel Ltd. Any review or distribution by others is strictly prohibited. If
you are not the intended recipient you are hereby notified that any use of
this information or data by any other person is absolutely prohibited. If
you are not the intended recipient, please delete all copies and contact us
by e-mailing to: [EMAIL PROTECTED]
Thank You.
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete the
original. Any other use of the email by you is prohibited.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
