RE: IDS on Switched Networks

From: Matthew F. Caldwell (mattc@guarded.net)
Date: 12/05/01

• Previous message: Matt Willis: "RE: IDS on Switched Networks"
• Maybe in reply to: Paul W. Stoecker, Ph.D.: "IDS on Switched Networks"
• Next in thread: Chris Eidem: "RE: IDS on Switched Networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 5 Dec 2001 08:31:02 -0500
From: "Matthew F. Caldwell" <mattc@guarded.net>
To: <stoeckp@research.panasonic.com>, <focus-ids@securityfocus.com>

Dr. Stoecker
 
    You have several options
 
* Place a "TAP" in the line and run your NIDS of the tap and have
seperate Comms port.
* Create a SPAN (or montioring) port on the switch that captures all
tarffic and run the NIDS on the port and have a seperate Comms port
* Place the hub between the external router and the firewall and you can
have an array of NIDS or sniffers.
 
I would not recommend you place the NIDS in the critical path, since
NIDS have been prone to failure problems. Critical path I am asumming
your NIDS running as a router itself.
 
Matthew F. Caldwell, CISSP
Chief Security Officer
GuardedNet, Inc.
Home of "neuSecure" Security Operations Software
http://www.guarded.net

        -----Original Message-----
        From: Paul W. Stoecker, Ph.D.
        Sent: Tue 12/4/2001 8:55 PM
        To: focus-ids@securityfocus.com
        Cc:
        Subject: IDS on Switched Networks
        
        

        Folks,
        
        If you are on a switched network, do you have to place your NIDS
sensor
        in a location that can capture everything. For instance, my
firewall is
        connected into a router which contains all of my switches and
acts as a
        switch itself.
        
        Do I have to put the sensor in the critical path? Does that
mean that I
        have to put a sensor on the Firewall, use another machine that
is a
        router, or do I need a hub for the sensor and firewall to share?
        
        Your help is greatly appreciated.
        
        Paul
        
        --
        Paul W. Stoecker, Ph.D
        Network and Information Systems Manager
        Checkpoint Certified Security Administrator
        Panasonic Technologies Company
        Two Research Way
        Princeton, NJ 08540
        Phone: (609) 734-7584
        FAX: (609) 987-8827
        

---

• application/ms-tnef attachment: winmail.dat

---

• Previous message: Matt Willis: "RE: IDS on Switched Networks"
• Maybe in reply to: Paul W. Stoecker, Ph.D.: "IDS on Switched Networks"
• Next in thread: Chris Eidem: "RE: IDS on Switched Networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2001-12