RE: about mirroring port
From: David Vertie (verticalrave@hotmail.com)
Date: 03/21/03
- Previous message: Karel Chwistek: "Re: about mirroring port"
- Maybe in reply to: SB CH: "about mirroring port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Vertie" <verticalrave@hotmail.com> To: focus-ids@securityfocus.com Date: Fri, 21 Mar 2003 05:47:20 +0000
There are certain methods avaliable to handle the problem.
First however, I would recommend that you not try any 'mirroring' or 'port
spanning' as they call it. This creates numerous problems within a network,
and results in a bottleneck at the IDS. It also slows down the majority
speed for users since traffic must be routed to its destination and to the
IDS.
On some Cisco routers, I believe that you can use a 'tap port', which allows
you to connect a high-bandwidth (I believe it is optical) cable to the
system that will allow you to route all the traffic from the switch down
onto multiple IDSes (or one IDS if you have hardly any traffic). Usually
with the muliple IDS distributed network theory, a hardware box breaks up
traffic and sends it down to multiple boxes running IDS software (i.e.
Snort), it is then filtered for any attempted intrusion attempts and logged
in one or more databases.
Something special about the tap port also that I want to note, is that the
tap port is a one-way connection, so it is just as secure as the special
cable that people make to establish one-way connections to IDSes.
I'm not so certain about the commands on the cisco routers (i'm not too
familiar with them right now), but I believe that you can find good
references on Cisco itself. Or rather, books provide lots of information.
>From: "Rob Shein" <shoten@starpower.net>
>To: "'SB CH'" <chulmin2@hotmail.com>, <focus-ids@securityfocus.com>
>Subject: RE: about mirroring port
>Date: Tue, 18 Mar 2003 22:36:22 -0500
>
>Um...
>
>If I understand correctly, you're concerned about your aggregate traffic
>being greater than 100 Mbps, and therefore you will have problems with
>setting up a snort-based IDS on your switch. It also seems that you're
>planning on forcing the sum of your network traffic to pass through your
>snort IDS, to slow down the network traffic. This is because you're
>concerned that the IDS will not be able to keep up, as it's not very robust
>hardware.
>
>I don't recommend that you do any of this...even if I could come up with an
>elegant way to transparently force all traffic on your switch to route
>through one box in its travels, the impact on your network would be
>horrendous, and the load on the linux box from actually handling the
>packets (as well as analyzing them) would be worse than if it were merely
>set up as a standard IDS. Remember, the usability of the network comes
>first, the IDS comes second; not the other way around. Networks are not
>installed so that the IDS will have something to do :)
>
>What you can do, given the hardware you have and the options laid out for
>you, I would recommend limiting the scope of your IDS monitoring to
>inbound/outbound internet traffic, or perhaps to a select broadcast domain.
>Either way, you end up dealing with a lesser amount of traffic, which
>solves your aggregation problem as well as the challenge of not overloading
>your IDS hardware.
>
> > -----Original Message-----
> > From: SB CH [mailto:chulmin2@hotmail.com]
> > Sent: Monday, March 17, 2003 7:37 PM
> > To: focus-ids@securityfocus.com
> > Subject: about mirroring port
> >
> >
> >
> > hello, all.
> >
> > I would like to setup ids(like snort) at mirroring port in
> > cisco catalyst
> > switch.
> > but all of the network traffic is over 100M, and my linux
> > server which
> > installs snort is not so good hardware.
> >
> > So I think that when I setup snort at mirroring port, all
> > traffic should
> > via linux server so the network speed would be slow
> >
> > Question.
> >
> > 1. when I setup the mirroring port,all traffic(for example,
> > port2 traffic)
> > would transfer like this or just copy the traffic mirroring port too?
> >
> > (1) client --> mirroring port1 --> port 2
> > (2) client --> port 2
> > --> mirroring port (copy too)
> >
> > 2. Is there any problem when I set snort at mirroring port if
> > the traffic
> > is so high(over 100~200M)?
> >
> > 3. do you know any commands to setup mirroring port at
> > catalyst 400x(catos
> > based) switch?
> >
> >
> > Thanks in advance.
> >
> >
> > _________________________________________________________________
> > Çà¿îÀÇ ÁÖÀΰøÀÌ À̹ø¿£ ³ªÀϲ¨¾ß, ÁøÂ¥·ç... ÀÎÅÍ³Ý º¹±Ç
> > http://www.msn.co.kr/money/interlotto/
> >
> >
> > -----------------------------------------------------------
> > ALERT: Exploiting Web Applications- A Step-by-Step Attack
> > Analysis Learn why 70% of today's successful hacks involve
> > Web Application attacks such as: SQL Injection, XSS, Cookie
> > Manipulation and Parameter
> > Manipulation.
> > http://www.spidynamics.com/mktg/webappsecurity71
> >
>
>
>-----------------------------------------------------------
>ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
>Learn why 70% of today's successful hacks involve Web Application
>attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
>Manipulation.
>http://www.spidynamics.com/mktg/webappsecurity71
>
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
- Previous message: Karel Chwistek: "Re: about mirroring port"
- Maybe in reply to: SB CH: "about mirroring port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
