At 03:03 PM 3/24/2003 +0000, you wrote:
Well,
all this mail about Span ports, monitoring, Top Layer switches, Taps etc. etc. sure shows how server based is a better route!
JT
John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 865026 | 07730 989255 This electronic message contains information from Tolerant Systems, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately.
-----Original Message----- From: Joe Magee [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2003 9:29 PM To: 'Paul Van Gurp'; [EMAIL PROTECTED]; Fuchs Bernhard Subject: Re: [ISSForum] "Why not a Switch?" Whitepaper was: SPAN port for IDS monitoring - Cisco switches
Bernhard, you make some pretty vaild points.
For more information on using a SPANS port Vs taps Vs Top Layer's IDS Balancer see the following whitepaper titled "Why not a Switch?":
http://www.joemagee.com/filez/Why%20not%20use%20a%20switch.pdf
Hope this provides some insight.
Cheers,
Joe Magee
---------- Original Message ---------------------------------- From: Fuchs Bernhard <[EMAIL PROTECTED]> Date: Fri, 21 Mar 2003 13:39:18 +0100
>Hi Paul, > >ok at first you have following problem. Your span post has 100mb so if you >are monitoring 3 ports on it with 100mb and 40% utilisation you are loosing >20% witch makes it unusable for IDS... (a lot of false positives or false >negatives). and you can*t send rskills on a span port. the next thing is, >you might have a retundant net so you need a sensor for each computer >center. another problem is asyncronus routing on loadbalancing. lets say you >have 2 servers that are loadbalanced. you have 2 packages comming >(multicast) and one package leaving -> false positive "ICMP onsolicited echo >reply" for example... so I recommend network tabs and a "IDS-Balancer" This >is kind of a switch but much better about "36gb backplane" i guess and with >gigabit... so you can monitor 10x100mb on one gb sensor... pretty cool and >totaly flexible to configure. i saw the toplayer and hat my handson. but we >are consider to take a other brand too. keep on asking if you have >questions.... > >http://netoptics.com/ >http://www.toplayer.com "Attack Mitigator" and "IDS-Balancer" > > >Mit freundlichen Gr��en/ sincerely yours > > >Bernhard Fuchs >Junior System-Engineer >IT-Infrastruktur/IT-Security > >ITELLIUM >Systems & Services GmbH >F�rther Stra�e 205 >90429 N�rnberg > >Tel.: +49-911-14-27321 >Fax: +49-911-14-22016 >mailto:[EMAIL PROTECTED] >http://www.itellium.com > >This email is confidential. If you are not the intended recipient, you must >not disclose or use the information contained in it. If you have received >this mail in error, please tell us immediately by return email and delete >the document. E-mails to and from the company are monitored for operational >reasons and in accordance with lawful business practices. The contents of >this email are those of the individual and do not necessarily represent the >views of the company. The company accepts no responsibility once an e-mail >and any attachments is sent. > > >-----Urspr�ngliche Nachricht----- >Von: Paul Van Gurp [mailto:[EMAIL PROTECTED] >Gesendet: Donnerstag, 20. M�rz 2003 15:22 >An: [EMAIL PROTECTED] >Betreff: [ISSForum] SPAN port for IDS monitoring - Cisco switches > > >Hi all. > >I am not a network specialist by any means so please be gentle. I am >currently attempting to deploy network sensors throughout our >infrastructure. Since we have a switched environment, I have 2 options >(that I am aware of): > >* use the SPAN port of a switch for a network IDS >* use network taps. > >Many of our switches have several internal interfaces that I would like to >monitor...i.e. one switch will be used for traffic destined for 8 different >networks. I would like to be able to plug an IDS into the SPAN port of the >switch and get the networking people to configure the SPAN port to accept >traffic from port 1, 3, and 8 for example because those are critical network >segments. This would allow my IDS to monitor all 3 of those ports at the >same time. The network guys say this is not possible and I can only span >one port on the switch to the SPAN port. This means using the SPAN port is >out of the question for our environment. I went to the Cisco site and it >seems that the switches are capable of doing what I want, so I am confused. > >Question 1: Who is right...i.e. can a SPAN port monitor traffic over >multiple incoming/outgoing ports on a single switch? If not then why not? >Question 2: If the network guys are right then why is the SPAN port a >widely used method of deploying network IDS? >Question 3: If the network guys are right, what other options are open to >me...I mentioned taps but don't I run into the same issues...1 tap for 1 >network segment and so in my example above, I would require 8 taps for the >switch with 8 ports. > >Thanks in advance. > >Paul > > > >_______________________________________________ >ISSForum mailing list >[EMAIL PROTECTED] > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >https://atla-mm1.iss.net/mailman/listinfo > > >_______________________________________________ >ISSForum mailing list >[EMAIL PROTECTED] > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo >
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
-- ---------------------------------------------------------------------------- -------------- This message has been inspected by DynaComm i:mail 3.0 http://www.tolerant.com/products/product1.asp?product_ID=27&ProductType_ID=2 ---------------------------------------------------------------------------- --------------
-- ------------------------------------------------------------------------------------------ This message has been inspected by DynaComm i:mail 3.0 http://www.tolerant.com/products/product1.asp?product_ID=27&ProductType_ID=2 ------------------------------------------------------------------------------------------
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
