Firewall Wizards mailing list archives

Re: The devil's in the details

From: czarcone () rpm com
Date: Thu, 22 Jul 1999 09:08:33 -0400



Tina,

Hmmm... The destination SPAN port receives a mirror of TX/RX/both traffic from
another port. According to Cisco's literature, however, your SPAN port can
simultaneously participate in another Vlan, including the same Vlan as the
monitored port. With respect to the SPAN port, you can enable its normal inbound
traffic in addition to any spanned mirror traffic, but Cisco doesn't say
anything about outbound traffic. I've never tried it, so it might be worth a lab
experiment or two...

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_5/config/span.htm

You could also get pretty creative with the physical cabling if you have your
own raw materials and a crimping tool. You could create a custom three-way cable
with the RX wiring connected to the SPAN port and the TX wiring connected to
another port on your perimeter Vlan. I've done things similar to this in the
past
(mainly for a receive-only SYSLOG machine) but never tried it for IDS purposes.
Might be worth ANOTHER lab experiment...

And I suppose we could just do away with SPAN ports altogether and use vampire
taps (the ORIGINAL SPAN port :-). Of course, they have become a little more
sophisitcated than the days of Thickwire. At least one vendor I know of
(Shomiti) makes a range of 10/100 inline taps...

I still call them vampire taps, though...

Regards,

Chris

Christopher Zarcone
Network Security Consultant
RPM Consulting, Inc.
#include <std.disclaimer.h>






Tina Lamias <tina.lamias () motorola com> on 07/21/99 09:23:38 PM
                                                                                
                                                                                
                                                                                


                                                              
                                                              
                                                              
 To:      Chris Zarcone/RPM@RPM                               
                                                              
 cc:      firewall-wizards () nfr net                            
                                                              
                                                              
                                                              
 Subject: Re: The devil's in the details                      
                                                              








Christopher,

But the 'span' does not allow you to send a reset to any *bad*
connection attempt does it?? I believe this is why we had to go with a
hub in a certain instance...we could 'watch' but not 'act.'

--Tina

Current thread:

Re: The devil's in the details, (continued)
- Re: The devil's in the details David Lang (Jul 13)
  - Re: The devil's in the details Lance Spitzner (Jul 14)
    - Re: The devil's in the details David Lang (Jul 14)
- Re: The devil's in the details Technical Incursion Countermeasures (Jul 14)
- RE: The devil's in the details Thomas Crowe (Jul 14)
- RE: The devil's in the details Brian W. Laing (Jul 14)
- Re: The devil's in the details Security Administrator (Jul 14)
- Re: The devil's in the details czarcone (Jul 14)
  - Re: The devil's in the details Tina Lamias (Jul 23)
- RE: The devil's in the details Kyle Starkey (Jul 14)
- Re: The devil's in the details czarcone (Jul 23)