Absolutely true if all the monitored ports were maxed out 24x7 but there's enough low I/O time on each port to make the process pretty clean. I'm sure there are packets dropped but as long as I can get 80% of the traffic watched I'm okay . . . until I can get my next Network Sensor setup on the same switch and divide the ports among the two. That will be much better.
Verne -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2003 7:35 AM To: Verne Baxter Cc: Donnie Green; Paul Van Gurp; [EMAIL PROTECTED] Subject: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches How exactly are you collecting data from 1 port when you have spanned 13 x 100Mbps connections? How can a 100Mbps port view all the data from 13? you must be dropping packets like crazy. "Verne Baxter" <[EMAIL PROTECTED]> on 20/03/2003 21:41:07 To: "Donnie Green" <[EMAIL PROTECTED]>, "Paul Van Gurp" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] cc: (bcc: Simon Griffin/IS/Spectrum/AXA SUN LIFE) Subject: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches Must have missed an equipment description. I currently have, for instance, one monitor port in a CAT4003. Via that monitor port I have setup a span that 'spans' two blades, three VLANS and a total of 13 ports. No problem. i.e. set span 2/2-10, 2/13, 2/18,3/21-22 2/48 Verne -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Donnie Green Sent: Thursday, March 20, 2003 11:20 AM To: Paul Van Gurp; [EMAIL PROTECTED] Subject: Re: [ISSForum] SPAN port for IDS monitoring - Cisco switches Your network guys are right. You can span multiple ports-if they are in the same VLAN-on a single switch, but you cannot span multiple individual ports. And your have to be careful that the total traffic you are monitoring-if spanning a VLAN-does not saturate the bandwidth of the port. For example if you are monitoring a VLAN with 3 servers on it, which is communicating at 50mbps each, your 100mb span port will start to drop a lot of packets. In a segmented environment there are few things you can do besides what you mentioned. It is easier to monitor network activity when security (i.e., intrusion detection, fw, etc.) is part of the initial design and implementation... Sorry I couldn't be more helpful. At 09:22 AM 3/20/2003 -0500, you wrote: >Hi all. > >I am not a network specialist by any means so please be gentle. I am >currently attempting to deploy network sensors throughout our >infrastructure. Since we have a switched environment, I have 2 options >(that I am aware of): > >* use the SPAN port of a switch for a network IDS >* use network taps. > >Many of our switches have several internal interfaces that I would like to >monitor...i.e. one switch will be used for traffic destined for 8 >different networks. I would like to be able to plug an IDS into the SPAN >port of the switch and get the networking people to configure the SPAN >port to accept traffic from port 1, 3, and 8 for example because those are >critical network segments. This would allow my IDS to monitor all 3 of >those ports at the same time. The network guys say this is not possible >and I can only span one port on the switch to the SPAN port. This means >using the SPAN port is out of the question for our environment. I went to >the Cisco site and it seems that the switches are capable of doing what I >want, so I am confused. > >Question 1: Who is right...i.e. can a SPAN port monitor traffic over >multiple incoming/outgoing ports on a single switch? If not then why not? >Question 2: If the network guys are right then why is the SPAN port a >widely used method of deploying network IDS? >Question 3: If the network guys are right, what other options are open to >me...I mentioned taps but don't I run into the same issues...1 tap for 1 >network segment and so in my example above, I would require 8 taps for the >switch with 8 ports. > >Thanks in advance. > >Paul > > > >_______________________________________________ >ISSForum mailing list >[EMAIL PROTECTED] > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo The contents and any attachments of this electronic mail message are confidential and intended only for the named addressees. Dissemination, forwarding, publication or other use of the message or attachments by any unauthorised person is strictly prohibited. Unless stated to the contrary, any opinions expressed in this message are personal and may not be attributed to AXA Technology Services UK Ltd or any member of the AXA Group of Companies. Internet e-mails are not necessarily secure. The AXA Group does not accept responsibility for changes made to this message after it was sent. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
