Re: IPS and Trunking
- From: Eric Hines <eric.hines@xxxxxxxxxxxxxxxx>
- Date: Thu, 08 Feb 2007 17:00:07 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Trav_2:
You're talking about two separate things.
1) Cisco is a switch and you're talking about a mirror/span port.
Though, network taps > Span ports :)
2) Its not the IDS/IPS that is performing that capability, its the
switch. So its inaccurate to ask if the IDS/IPS vendors you mentioned
can do the same thing. A span port doesn't care whats hooked up to it,
whether its Snort or a sniffer.
Hope this helps.
Best Regards,
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 221
Crystal Lake, IL 60014
Toll Free: (877) 262-7593
Fax: (847) 854-5106
Cell: (847) 456-6785
Web: www.appliedwatch.com
Andrew Plato wrote:
If you create a mirror port and plug in any IPS/IDS, it will see the-----BEGIN PGP SIGNATURE-----
traffic. TippingPoint, ISS, etc. All can do that.
Also, pretty much any decent managed switch can have mirror ports. This
is not unique to Cisco.
Keep in mind, you cannot do real-time IPS (intrusion prevention) in any
reliable manner this way. You have to be IN-LINE to do real-time
blocking and filtering. Passive monitoring off a mirror port only allows
you to send RSTs to stop stuff, and that is not a very reliable way to
block bad stuff.
___________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of trav_2@xxxxxxxxxxx
Sent: Monday, February 05, 2007 10:44 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: IPS and Trunking
Cisco has a great feature where I can configure all traffic on a switch
to go to a trunk port, plug in the IPS/IDS to the trunk port and see all
traffic. Can other vendors, such as Sourcefire, TippingPoint, ISS do
this?
Thanks,
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFy6t31va6QYTV0EMRAuSkAJ4+1WTm+ugpOAK4Ghzv8ooYyFYi1gCfSC69
cXQfDMCJ7O14l+ZnE/lpTsY=
=ego2
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Follow-Ups:
- Re: IPS and Trunking
- From: Gary Halleen
- Re: IPS and Trunking
- References:
- IPS and Trunking
- From: trav_2
- RE: IPS and Trunking
- From: Andrew Plato
- IPS and Trunking
- Prev by Date: Re: IPS and Trunking
- Next by Date: Re: IPS and Trunking
- Previous by thread: RE: IPS and Trunking
- Next by thread: Re: IPS and Trunking
- Index(es):
Relevant Pages
|
