Re: [ISSForum] SPAN port for IDS monitoring - Cisco switches

[Donnie Green]

Your network guys are right.  You can span multiple ports-if they are in 
the same VLAN-on a single switch, but you cannot span multiple individual 
ports.  And your have to be careful that the total traffic you are 
monitoring-if spanning a VLAN-does not saturate the bandwidth of the port. 
For example if you are monitoring a VLAN with 3 servers on it, which is 
communicating at 50mbps each, your 100mb span port will start to drop a lot 
of packets.

In a segmented environment there are few things you can do besides what you 
mentioned.  It is easier to monitor network activity when security (i.e., 
intrusion detection, fw, etc.) is part of the initial design and 
implementation...  Sorry I couldn't be more helpful.

At 09:22 AM 3/20/2003 -0500, you wrote:
Hi all.

I am not a network specialist by any means so please be gentle.  I am 
currently attempting to deploy network sensors throughout our 
infrastructure.  Since we have a switched environment, I have 2 options 
(that I am aware of):

*       use the SPAN port of a switch for a network IDS
*       use network taps.
Many of our switches have several internal interfaces that I would like to 
monitor...i.e. one switch will be used for traffic destined for 8 
different networks.  I would like to be able to plug an IDS into the SPAN 
port of the switch and get the networking people to configure the SPAN 
port to accept traffic from port 1, 3, and 8 for example because those are 
critical network segments.  This would allow my IDS to monitor all 3 of 
those ports at the same time.  The network guys say this is not possible 
and I can only span one port on the switch to the SPAN port.  This means 
using the SPAN port is out of the question for our environment.  I went to 
the Cisco site and it seems that the switches are capable of doing what I 
want, so I am confused.

Question 1:  Who is right...i.e. can a SPAN port monitor traffic over 
multiple incoming/outgoing ports on a single switch?  If not then why not?
Question 2:  If the network guys are right then why is the SPAN port a 
widely used method of deploying network IDS?
Question 3:  If the network guys are right, what other options are open to 
me...I mentioned taps but don't I run into the same issues...1 tap for 1 
network segment and so in my example above, I would require 8 taps for the 
switch with 8 ports.

Thanks in advance.

Paul



_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo