Simon, I have been around in this business since 1968 and cannot for the life of me imagine why anyone still uses Network Sensor except on things like the Internet line in the DMZ! I used to have all the same problems when I was with Network General trying to analyse switched networks!
Do you use Site Protector from ISS?? JT John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 865026 | 07730 989255 This electronic message contains information from Tolerant Systems, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2003 3:35 PM To: Verne Baxter Cc: Donnie Green; Paul Van Gurp; [EMAIL PROTECTED] Subject: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches How exactly are you collecting data from 1 port when you have spanned 13 x 100Mbps connections? How can a 100Mbps port view all the data from 13? you must be dropping packets like crazy. "Verne Baxter" <[EMAIL PROTECTED]> on 20/03/2003 21:41:07 To: "Donnie Green" <[EMAIL PROTECTED]>, "Paul Van Gurp" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] cc: (bcc: Simon Griffin/IS/Spectrum/AXA SUN LIFE) Subject: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches Must have missed an equipment description. I currently have, for instance, one monitor port in a CAT4003. Via that monitor port I have setup a span that 'spans' two blades, three VLANS and a total of 13 ports. No problem. i.e. set span 2/2-10, 2/13, 2/18,3/21-22 2/48 Verne -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Donnie Green Sent: Thursday, March 20, 2003 11:20 AM To: Paul Van Gurp; [EMAIL PROTECTED] Subject: Re: [ISSForum] SPAN port for IDS monitoring - Cisco switches Your network guys are right. You can span multiple ports-if they are in the same VLAN-on a single switch, but you cannot span multiple individual ports. And your have to be careful that the total traffic you are monitoring-if spanning a VLAN-does not saturate the bandwidth of the port. For example if you are monitoring a VLAN with 3 servers on it, which is communicating at 50mbps each, your 100mb span port will start to drop a lot of packets. In a segmented environment there are few things you can do besides what you mentioned. It is easier to monitor network activity when security (i.e., intrusion detection, fw, etc.) is part of the initial design and implementation... Sorry I couldn't be more helpful. At 09:22 AM 3/20/2003 -0500, you wrote: >Hi all. > >I am not a network specialist by any means so please be gentle. I am >currently attempting to deploy network sensors throughout our >infrastructure. Since we have a switched environment, I have 2 options >(that I am aware of): > >* use the SPAN port of a switch for a network IDS >* use network taps. > >Many of our switches have several internal interfaces that I would like to >monitor...i.e. one switch will be used for traffic destined for 8 >different networks. I would like to be able to plug an IDS into the SPAN >port of the switch and get the networking people to configure the SPAN >port to accept traffic from port 1, 3, and 8 for example because those are >critical network segments. This would allow my IDS to monitor all 3 of >those ports at the same time. The network guys say this is not possible >and I can only span one port on the switch to the SPAN port. This means >using the SPAN port is out of the question for our environment. I went to >the Cisco site and it seems that the switches are capable of doing what I >want, so I am confused. > >Question 1: Who is right...i.e. can a SPAN port monitor traffic over >multiple incoming/outgoing ports on a single switch? If not then why not? >Question 2: If the network guys are right then why is the SPAN port a >widely used method of deploying network IDS? >Question 3: If the network guys are right, what other options are open to >me...I mentioned taps but don't I run into the same issues...1 tap for 1 >network segment and so in my example above, I would require 8 taps for the >switch with 8 ports. > >Thanks in advance. > >Paul > > > >_______________________________________________ >ISSForum mailing list >[EMAIL PROTECTED] > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo The contents and any attachments of this electronic mail message are confidential and intended only for the named addressees. Dissemination, forwarding, publication or other use of the message or attachments by any unauthorised person is strictly prohibited. Unless stated to the contrary, any opinions expressed in this message are personal and may not be attributed to AXA Technology Services UK Ltd or any member of the AXA Group of Companies. Internet e-mails are not necessarily secure. The AXA Group does not accept responsibility for changes made to this message after it was sent. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo -- ---------------------------------------------------------------------------- -------------- This message has been inspected by DynaComm i:mail 3.0 http://www.tolerant.com/products/product1.asp?product_ID=27&ProductType_ID=2 ---------------------------------------------------------------------------- -------------- -- ------------------------------------------------------------------------------------------ This message has been inspected by DynaComm i:mail 3.0 http://www.tolerant.com/products/product1.asp?product_ID=27&ProductType_ID=2 ------------------------------------------------------------------------------------------ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
