Re: Auto-sensing for IPS devices

From: Sap . (0xsapx0_at_gmail.com)
Date: 09/16/05

Next message: barcajax_at_gmail.com: "Re: Snort and Nessus Signature"

Previous message: McKinley, Jackson: "RE: Auto-sensing for IPS devices"
In reply to: McKinley, Jackson: "RE: Auto-sensing for IPS devices"
Next in thread: Packet Man: "Re: Auto-sensing for IPS devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 16 Sep 2005 09:14:15 -0700
To: "McKinley, Jackson" <Jackson.McKinley@team.telstra.com>

Auto-Negotiation is essential in larger networks. When you are talking
about 1000's of switch ports and PC's connecting/disconnecting
constantly (think public campus) how could you ever enforce a rule
like "OK, Set your NIC to 100/Full before you connect".

However for servers I believe it is a best practice to manually set
the ports at whatever they need to be.

Sap

On 9/15/05, McKinley, Jackson <Jackson.McKinley@team.telstra.com> wrote:
> I agree with Lachlan.
> Auto neg is the best bet in larger networks I find from personal
> experience. I cant count the number of times ive seen Foundry and cisco
> miss-match when attempting to auto neg. Working from past exp when a
> customer plugs into your network with a "no brand" switch / device
> (Think colo datacentre's) the first thing I always looked for was stupid
> MTU settings and duplex miss-match.
>
> Altho in a nice all cisco or all foundry or all
> whateverotherbrandyoulike enviroment im sure auto neg would work much
> better. Ive just never had the pleasure of working in a centre like
> that ;) hahaha
>
> Cheers,
>
> Jack.
>
> -----Original Message-----
> From: Joel M Snyder [mailto:Joel.Snyder@Opus1.COM]
> Sent: Thursday, 15 September 2005 4:36 PM
> To: Lachlan Bowes
> Cc: focus-ids@securityfocus.com
> Subject: Re: Auto-sensing for IPS devices
>
> I disagree that it is *always* a good idea. I think that it's
> *occasionally* a good idea. Either the standard for auto-sensing works
> or it doesn't. If you have defective hardware that doesn't work right,
> then it's better to know about it than to patch around the problem---are
> you going to set every single port on a flakey switch? Or should you
> get rid of the switch?
>
> However, if you decide that it *is* a good idea, just a reminder that
> you MUST set BOTH speed and duplex settings and you MUST set BOTH
> settings on BOTH sides. There is no concept in 802.3 of having only one
> side autonegotiate and 'learn' what the other side wants.
>
> If you take one side out of auto-negotiate mode and hard code a
> speed/duplex setting, the other side has no way of figuring out what you
> did.
>
> I have seen people who think that they're making things more reliable
> actually break their networks by only setting one side of the connection
> and assuming that the other will follow along magically.
>
> jms
>
> --
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> jms@Opus1.COM http://www.opus1.com/jms Opus One
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Next message: barcajax_at_gmail.com: "Re: Snort and Nessus Signature"

Previous message: McKinley, Jackson: "RE: Auto-sensing for IPS devices"
In reply to: McKinley, Jackson: "RE: Auto-sensing for IPS devices"
Next in thread: Packet Man: "Re: Auto-sensing for IPS devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Auto-sensing for IPS devices
... Auto neg is the best bet in larger networks I find from personal ... customer plugs into your network with a "no brand" switch / device ... MTU settings and duplex miss-match. ...
(Focus-IDS)
Re: PIX 515E - Some Very Basic Advice Needed
... i.e. all ports are in different networks and the PIX ... In transparent mode, the PIX ... it acts like a switch. ...
(comp.dcom.sys.cisco)
RE: VLAN Question
... Remeber those rows upon rows of AUI ports or 10Base2 connections all ... let you buy one big hunking switch and run several subnets off of it. ... > switch isolation while allowing multiple smaller networks to be ... And if all VLANs did was allow your one big expensive switch to ...
(Security-Basics)
Re: Active Sync, PC Browse, over WiFi
... Pocket PC certainly should be able to switch between networks, ... So we have to go in and change the settings every time we change locations. ...
(microsoft.public.pocketpc.activesync)
Re: B1600 Chassis network question
... > I think your confusion stems from the 8 ports on the back. ... I can have my blades in one IP network ... have two IP networks with no redundancy; ... to know is whether or not I can have a switch set up with VLANs of two IP ...
(comp.sys.sun.hardware)