Network Tappers, IDS, etc.
From: Tim Hanekamp (thanekamp_at_gmail.com)
Date: 10/02/04
- Previous message: Phantasmal Phantasmagoria: "On Polymorphic Evasion"
- Next in thread: Andy Cuff: "RE: Network Tappers"
- Reply: Andy Cuff: "RE: Network Tappers"
- Maybe reply: Shaw, Mark: "RE: Network Tappers, IDS, etc."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Oct 2004 20:21:39 -0500 To: focus-ids@securityfocus.com
Hi-
I have been put in charge of selecting and deploying two IDS systems
here at our corporate office. I need to have two options for trial
purposes. I decided to have both of these IDS's be based upon the
Snort technology since I am most familiar with it, and have already
found two products to fulfil this requirement. I plan on running each
one for two weeks up to a month to make my final report which I will
deliver to management so they can pick which one they would like to
put their money towards.
My next task is to select the hardware for this project. I was
wondering if I could get some advice for this. There are five things
I will need to purchase. The two servers that will be the snort
"sensors" and will sniff the packets and send to the central database
(I plan on installing one outside of the firewall and one inside), the
server which will host the central database, and two network taps
which will duplicate the traffic coming off of our wires to the
sensors. I plan on getting a pretty hefty server to use as the
database server at the reccomendation of both of the representatives
for these two products. However, when I questioned them about the
requirements for the sensors they seemed to think it didn't really
matter, and that it would be able to handle it either way. I couldn't
get a direct answer.
I was wondering if someone with experience deploying Snort in a medium
traffic environment could offer some input as to what the optimal
specifications of a server should be that will just be sniffing out
traffic to send to a database as far a processor speed and amount of
memory. We currently have a DS3 coming into the office.
Also, I would like any information available on network taps. We do
not have any more SPAN ports available on our switch so this is not an
option and this needs to be done professionally (i.e. I cannot just
throw a hub on our network rack). Where should I start looking for
network taps and what price range should I be looking at? I would
like the tap to be capable of 100Mb lan connections; GigE is
unnecessary. Are there single taps that I could use for the purpose
of mirroring traffic from two separate lines to two separate servers?
Or must I buy two?
All responses are appreciated. Thanks.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Previous message: Phantasmal Phantasmagoria: "On Polymorphic Evasion"
- Next in thread: Andy Cuff: "RE: Network Tappers"
- Reply: Andy Cuff: "RE: Network Tappers"
- Maybe reply: Shaw, Mark: "RE: Network Tappers, IDS, etc."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
