RE: Network Tappers

From: Andy Cuff (lists_at_securitywizardry.com)
Date: 10/05/04

  • Next message: SecurIT Informatique Inc.: "Update : SIDTk 1.1"
    To: "'Tim Hanekamp'" <thanekamp@gmail.com>, <focus-ids@securityfocus.com>
    Date: Tue, 5 Oct 2004 19:10:27 +0100
    
    

    Hi Tim,
    There are many on the list better qualified than I to talk server specs with
    you. But I have been down the same road as you regarding Taps, I have
    compiled a list of every known tap including their capabilities here
    http://securitywizardry.com/taps.htm

    Another option to consider is to use your switches with a span/mirror port,
    I've collated the syntax for configuring this in most of the popular
    switches here http://securitywizardry.com/switch.htm

    One very important consideration is what to do with the IDS once it is in,
    how will you monitor it and react to what it throws up, I wrote an article
    for Securityfocus on Deploying IDS, things have moved on since, but much of
    it is still relevant http://www.securityfocus.com/infocus/1754

       Regards
       -andy cuff
    The Talisker Network Security Portal
    http://securitywizardry.com

    Computer Network Defence Ltd

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------


  • Next message: SecurIT Informatique Inc.: "Update : SIDTk 1.1"

    Relevant Pages

    • RE: Network Tappers, IDS, etc.
      ... Subject: Network Tappers, IDS, etc. ... getting a pretty hefty server to use as the database server at the ... I would like any information available on network taps. ...
      (Focus-IDS)
    • RE: Hub vs. Tap vs. SpanPort
      ... JV> is the hub method the only one to send RST packets? ... The paper is targetted at ISS RealSecure as the IDS s/w but the ... It's expensive on TAPs but a neat way to handle the issue. ... IDS is connected to the internet side of the firewall. ...
      (Focus-IDS)
    • Re: Use of Taps for IDS
      ... seriously by the IDS/Switch/Tap vendors. ... an IDS sensor that can accept the dual outputs from existing ethernet ... a switch that can take output from multiple taps (representing multiple ...
      (Focus-IDS)
    • Re: Categories of IDS
      ... Have you seen Intrusions taps they have a hub inbuilt so you don't ... I feed the output into a dumb hub and then into multiple IDS. ... > Network Node IDS - Non Promiscuous network IDS. ... > Long overdue Host IPS - Has anyone got a list that I can use for starters ...
      (Focus-IDS)
    • Re: sniffer black box
      ... > But was your Box an IDS or a snffer liker what I must do? ... Snort can EASILY be configured to do what you're describing. ... Most higher end switches support a "span" or ... switch (or at least the firewall interface port) for monitoring. ...
      (comp.security.firewalls)