Re: NIDS Recommendations in limited environment...

From: Clint Byrum (clint@spamaps.org)
Date: 08/01/02

• Previous message: Tom D'Aquino: "Re: NIDS Recommendations in limited environment..."
• In reply to: Tom D'Aquino: "Re: NIDS Recommendations in limited environment..."
• Next in thread: Mike Dresser: "Re: NIDS Recommendations in limited environment..."
• Reply: Mike Dresser: "Re: NIDS Recommendations in limited environment..."
• Reply: Tony Wasson: "Re: NIDS Recommendations in limited environment..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 1 Aug 2002 12:18:09 -0700
To: Tom D'Aquino <tom_daquino@yahoo.com>
From: Clint Byrum <clint@spamaps.org>

On Thu, Aug 01, 2002 at 11:46:29AM -0700, Tom D'Aquino wrote:
> Clint,
>
> So are you saying that, you need to monitor VLANs that span across several
> switches? I don't quite understand why many client PC's manned by any
> number of people would interfere with the effectiveness of network taps.

Actually, the network taps are fine for installations where there are
multiple switches, or too much traffic for just one IDS to watch.

> Could you elaborate for me? Also, what brand of switch are you using that
> doesn't support the port mirroring functionality you seek? Most quality

Intel Express510. It can only mirror one port at a time, and it loses this
configuration upon reboot.

> switches these days support port mirroring (I don't think you just got
> lucky with the HP switch).
>

Good to hear. About half of all the installations I am dealing with
already have these Intel switches in place... Unfortunately it appears a
mass replacement may be required.

---

• Previous message: Tom D'Aquino: "Re: NIDS Recommendations in limited environment..."
• In reply to: Tom D'Aquino: "Re: NIDS Recommendations in limited environment..."
• Next in thread: Mike Dresser: "Re: NIDS Recommendations in limited environment..."
• Reply: Mike Dresser: "Re: NIDS Recommendations in limited environment..."
• Reply: Tony Wasson: "Re: NIDS Recommendations in limited environment..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Caching a sniffer ... reading the recommendation on port mirroring. ... and thus there was a need on managed switches for administrators to ... Attend a course taught by an expert instructor with years of in-the-field ... (Security-Basics) Re: arpwatch ... port mirroring would be the best bet (managable switches necessary) ... >I have recently installed arpwatch on one of our servers. ... - Precisely Define and Implement Network Security ... (Security-Basics) Re: Port mirroring across multiple switches ... RSPAN will do what you need if your switches support it. ... Port mirroring across multiple switches ... > What's the best approach to port mirror traffic from multiple switches? ... > those ports to a hub and put my sniffer on the same hub? ... (Security-Basics) Re: Managed vs unmanaged switch in cluster ... The latency before forwarding is extremely low, ... find it hard to imagine that the switch latency would cause issues. ... Now, not all switches are created equal, and _that_, I can imagine ... I don't know if it does port mirroring or not. ... (comp.os.vms) RE: Port mirroring across multiple switches ... The switches in question aren't Cisco. ... > RSPAN will do what you need if your switches support it. ... Port mirroring across multiple switches ... >> then connect those ports to a hub and put my sniffer on the ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-08