RE: Tap info request...

From: Mark Armitage (mark.armitage@savernake.com)
Date: 11/29/01 

Message-ID: <A19B90E923EDD311A2470008C7D21F5024F120@mail-exchange-1.savernake.com>
From: Mark Armitage <mark.armitage@savernake.com>
To: "'secmail@dirk.demon.co.uk'" <secmail@dirk.demon.co.uk>, dcdave <dcdave@att.net>
Subject: RE: Tap info request...
Date: Thu, 29 Nov 2001 22:55:49 -0000

If we get back to the origional question

> > Does anybody know a tap which can be used to connect 2
> > sensors to the same segment? Please note that Shomiti
> > does not support this case since it supports
> > only up to 12 server ports.

The shomiti 12 port tap only allows you to monitor 1 seqment at a time,
If I read the question correctly, the only reasons for connecting 2 sensors
to 1 segment are
1) Redundancy, in which case 2 single taps to two devices will do the job.
or
2) you wish to balance the 'tapped' traffic across multiple devices, in
which case you need TopLayer.

From the second part of the question
> > Also, any advice on how to customize the IDS alarms
> > for a network having a really huge traffic is greatly
> > appreciated. Any experienced guy on this issue...?

I would guess that (2) is what is required.
And in answer to that part of the question, tuning, tuning, and more tuning.

Regards

Mark.

-----Original Message-----
From: secmail@dirk.demon.co.uk [mailto:secmail@dirk.demon.co.uk]
Sent: 29 November 2001 17:42 PM
To: dcdave
Cc: IDS Guy; focus-ids@securityfocus.com
Subject: Re: Tap info request...

I belive that you have to go with some kind of content switch. I belive
Toplayer have been working with ISS to support large high volume links.
The idea is that you look at your network traffic and filter off the web
traffic to one sensor and email traffic to another. Or you can do it based
on IP address. From what I remember this was not a cheap solution, but
one that should work. The draw back is that depending on the filtering
solution you choose you might not pick on on certain events because half
the traffic went to one sensor and half went to the other.

The other thing I have considered doing in the past is having two taps
going into one sensor. This would work because the each sensor tapped onto
a firewalls in a failover situation. So only one link would be active at
one time. This is the oposite of what you are asking.

Ian

====
Resume online at http://www.dirk.demon.co.uk/cv/cv.html

On Thu, 29 Nov 2001, dcdave wrote:

> I am having some difficulty understanding your first question. The only
> reason I can think of to attach two sensors is to spread processing across
> them - if necessary, I use two taps.
> This would allow two different short rulesets to act on the same traffic
in
> a high-volume network, which is one approach to handling high-traffic
> networks. Some combination of more processing power and less processing
> requirement per packet is usually the key.
> Each individual network has its own tuning requirements which should be
> based on threat analysis, traffic analysis, other defenses, etc...
> I am by no means the only expert in this kind of tuning, but I imagine the
> others will say pretty much the same....
> There are vendors out there now with claims of supporting gigabit
throughput
> (http://www.secos.com is one), not sure what has happened with Black Ice
> since it's purchase by ISS...any others?
> What I am finding these days is more often a switched environment, in
which
> it may be more effective to deploy individual server stack sensors (given
a
> one server/switch port configuration) or, for those that can afford it,
> segment sensors monitoring each segment ahead of the switch/router where
> possible, and through admin ports on the switches (may limit response
> capabilities of the IDS) if the switch converts from gigabit to 10/100...
> Hope this helps,
> dcdave
> (looking for work...)
> http://securingwireless.intranets.com
>
>
> ----- Original Message -----
> From: "IDS Guy" <ids_guy@yahoo.com>
> To: <focus-ids@securityfocus.com>
> Sent: Wednesday, November 28, 2001 9:38 AM
> Subject: Tap info request...
>
>
> > Hi,
> >
> > Does anybody know a tap which can be used to connect 2
> > sensors to the same segment? Please note that Shomiti
> > does not support this case since it supports
> > only up to 12 server ports.
> >
> > Also, any advice on how to customize the IDS alarms
> > for a network having a really huge traffic is greatly
> > appreciated. Any experienced guy on this issue...?
> >
> > Cheers,
> >
> > --The IDS Guy--
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
> > http://geocities.yahoo.com/ps/info1
> >
>

Relevant Pages

  • Tapped delay line broadband beamformer
    ... I am trying to simulated a tapped delay line in MATLAB ... whereby the signals received by M sensors are delayed by J ... T=d/c;% tap delay of fir filter ...
    (comp.soft-sys.matlab)
  • Re: IDS deployment outside FW?
    ... your IDS sensors should never be active on the ... network that they are monitoring (unless you're doing some sort of ... able to craft the monitoring rules to focus on those devices. ...
    (Focus-IDS)
  • Re: IDS on a load balanced BGP network
    ... try to take out all nodes on the network. ... >In this scenario, I would recommend deploying 2 sensors, ... Traffic from multiple SPAN ports of multiple switches ... >deployment modes for both 10/100 Ethernet links as well ...
    (Focus-IDS)
  • Re: Cisco CTR
    ... > passive sensors deployed anywhere near the entire environment. ... > everywhere some idiot has access to a network jack. ... It depends on the level of visibility you need into your network ... Sourcefire Inc. - 290-1616 Sourcefire: ...
    (Focus-IDS)
  • RE: GB IDS solutions
    ... >> Does anyone know of GB network IDS solutions other than ISS? ... ISS RS 5.0/5.5. ... We moved to Sourcefire's OpenSnort appliances (basically a 1U Intel ... Have you thought about creating a farm of sensors with a central database ...
    (Focus-IDS)
Quantcast