Firewall Wizards mailing list archives
RE: The devil's in the details
From: "Brian W. Laing" <BLAING () iss net>
Date: Wed, 14 Jul 1999 12:04:25 +0100
Matt,
I have written a 1 page doc on this if you would like it just drop me an
email. However switch manufactures have thought of this it is generally
called a span or mirror port, you can also use devices called taps.
All of these soltutions suffer from the fact that you will need to
consolodate several connections into the IDS. This is where the "good luck"
laugh comes from. Taking several 100mbps ports and funneling them down to a
single 100mbps can lead to all kinds of interesting things happenings. It
can be done depending on the network utilization and other variables, but
you could end up with drop packets due to an overload in the total number of
packets per second.
Cheers,
Brian
-----Original Message-----
From: owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]On Behalf Of Matt Dunn
Sent: Tuesday, July 13, 1999 6:14 AM
To: firewall-wizards () nfr net
Subject: The devil's in the details
Hi all,
I'm doing some preliminary planning for a security configuration, and I
have what may be a silly question about setting up an IDS. I looked around
a bit, and even asked a couple people (who laughed, but it didn't sound
like it was because the question was silly, more of a 'good luck' kind of
laugh..)
My problem is that a couple of my networks involve switches, which, as part
of the new and improved security policy, will involve VLANs.
I could throw the IDS on a hub with the firewall and connect that to the
switch, but that doesn't do anything for internal threats (which are what
is necessitating the VLANs.)
Has anyone figured out a good way to set something like this up? Ideally,
some switch manufacturer would have thought of this ahead of time, and made
a port on the switch that dumped all the packets, but then you're dealing
with packet loss unless that one port is significantly faster than the rest
of the switch. I could try to figure out some policy based configuration,
but I don't want to go buy a gigabit plane for each of my switches, and it
doesn't sit right with me to depend on the switch management elements for
the completeness of my security data.
Any responses would be appreciated.
-Matt
Current thread:
- The devil's in the details Matt Dunn (Jul 13)
- Re: The devil's in the details Paul V. Alukal (Jul 13)
- Re: The devil's in the details David Lang (Jul 13)
- Re: The devil's in the details Lance Spitzner (Jul 14)
- Re: The devil's in the details David Lang (Jul 14)
- Re: The devil's in the details Lance Spitzner (Jul 14)
- Re: The devil's in the details Technical Incursion Countermeasures (Jul 14)
- RE: The devil's in the details Thomas Crowe (Jul 14)
- RE: The devil's in the details Brian W. Laing (Jul 14)
- Re: The devil's in the details Security Administrator (Jul 14)
- <Possible follow-ups>
- Re: The devil's in the details czarcone (Jul 14)
- Re: The devil's in the details Tina Lamias (Jul 23)
- RE: The devil's in the details Kyle Starkey (Jul 14)
- Re: The devil's in the details czarcone (Jul 23)