Paul, why on earth are you using a whole lot of Network Sensor's to try and do this? It is very much a 1990's way of IDS, and by the time you finish with buying hardware and possibly needing taps and load balancinf switches etc. it ends up more expensive and far less effective than installing Server Sensor on the Servers!
I see the weirdest configurations using Network Sensor, mainly because Resellers cannot be bothered really learning about all the ofther things that can be done and inplementing Server Sensors and System Scanner. It is so much easier just to sell a customer a whole bin full of Network Sensor's!! JT John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 865026 | 07730 989255 This electronic message contains information from Tolerant Systems, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. -----Original Message----- From: Donnie Green [mailto:[EMAIL PROTECTED] Sent: Thursday, March 20, 2003 7:20 PM To: Paul Van Gurp; [EMAIL PROTECTED] Subject: Re: [ISSForum] SPAN port for IDS monitoring - Cisco switches Your network guys are right. You can span multiple ports-if they are in the same VLAN-on a single switch, but you cannot span multiple individual ports. And your have to be careful that the total traffic you are monitoring-if spanning a VLAN-does not saturate the bandwidth of the port. For example if you are monitoring a VLAN with 3 servers on it, which is communicating at 50mbps each, your 100mb span port will start to drop a lot of packets. In a segmented environment there are few things you can do besides what you mentioned. It is easier to monitor network activity when security (i.e., intrusion detection, fw, etc.) is part of the initial design and implementation... Sorry I couldn't be more helpful. At 09:22 AM 3/20/2003 -0500, you wrote: >Hi all. > >I am not a network specialist by any means so please be gentle. I am >currently attempting to deploy network sensors throughout our >infrastructure. Since we have a switched environment, I have 2 options >(that I am aware of): > >* use the SPAN port of a switch for a network IDS >* use network taps. > >Many of our switches have several internal interfaces that I would like to >monitor...i.e. one switch will be used for traffic destined for 8 >different networks. I would like to be able to plug an IDS into the SPAN >port of the switch and get the networking people to configure the SPAN >port to accept traffic from port 1, 3, and 8 for example because those are >critical network segments. This would allow my IDS to monitor all 3 of >those ports at the same time. The network guys say this is not possible >and I can only span one port on the switch to the SPAN port. This means >using the SPAN port is out of the question for our environment. I went to >the Cisco site and it seems that the switches are capable of doing what I >want, so I am confused. > >Question 1: Who is right...i.e. can a SPAN port monitor traffic over >multiple incoming/outgoing ports on a single switch? If not then why not? >Question 2: If the network guys are right then why is the SPAN port a >widely used method of deploying network IDS? >Question 3: If the network guys are right, what other options are open to >me...I mentioned taps but don't I run into the same issues...1 tap for 1 >network segment and so in my example above, I would require 8 taps for the >switch with 8 ports. > >Thanks in advance. > >Paul > > > >_______________________________________________ >ISSForum mailing list >[EMAIL PROTECTED] > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo -- ---------------------------------------------------------------------------- -------------- This message has been inspected by DynaComm i:mail 3.0 http://www.tolerant.com/products/product1.asp?product_ID=27&ProductType_ID=2 ---------------------------------------------------------------------------- -------------- -- ------------------------------------------------------------------------------------------ This message has been inspected by DynaComm i:mail 3.0 http://www.tolerant.com/products/product1.asp?product_ID=27&ProductType_ID=2 ------------------------------------------------------------------------------------------ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
