Re: [fw-wiz] Forwarding traffic to an active IDS/Firewall

From: Dale W. Carder (dwcarder_at_doit.wisc.edu)
Date: 07/21/05

  • Next message: Paul Melson: "RE: [fw-wiz] Intel vs. special purpose FW-1 servers" 
    To: Vinicius Pavanelli Vianna <ds@hacked.com.br>
Date: Thu, 21 Jul 2005 11:18:49 -0500

    Thus spake Vinicius Pavanelli Vianna (ds@hacked.com.br) on Wed, Jul 13, 2005 at 06:39:35PM -0300:
    > Anyone knows how I can forward all traffic the came to a Cisco Catalyst
    > swith to an gateway to do some IDS/Firewall/Traffic Shape?

    Use a policy route to force the next-hop. I think that's the
    closest thing to what you want. However, given that traditional
    switches are more or less agnostic to layer 3 information, you can't
    do that unless you have a switch with a routing card, or actually
    have a router.

    If you're only looking for IDS stuff, most high end switches support
    port mirroring.

    So, a layer-2 solution could use vlans and have your IDS/Firewall/Traffic
    Shape thingy route, bridge, or proxy-arp between them.

    Or, use a PC or some other device that can make switching decisions
    based on higher level stack information.

    Dale

    ----------------------------------
    Dale W. Carder - Network Engineer
    University of Wisconsin at Madison
    http://net.doit.wisc.edu/~dwcarder

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Melson: "RE: [fw-wiz] Intel vs. special purpose FW-1 servers"