IDS mailing list archives
RE: IPS and Trunking
From: "Michaelson, Andrew J" <amichaelson () co pinellas fl us>
Date: Fri, 9 Feb 2007 09:42:26 -0500
We're looking into Tippingpoint, and they stated that sometime in March they will be releasing an update that will allow separate policies per VLAN. If connected to a trunk port, you'd be able apply a separate policy for each VLAN passing through the device. I think the original question relates to the Cisco IPS' ability to route 802.1Q traffic, so logically, the IPS is in-line as opposed to listening on a mirror port. Here's a link to more info on the subject: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configura tion_example09186a0080671a8d.shtml I would also be interested in hearing more on this topic. Andy Michaelson, CISSP, SnortCP Sr. Security Analyst Pinellas County Government -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Eric Hines Sent: Thursday, February 08, 2007 6:00 PM To: Andrew Plato Cc: trav_2 () hotmail com; focus-ids () securityfocus com Subject: Re: IPS and Trunking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trav_2: You're talking about two separate things. 1) Cisco is a switch and you're talking about a mirror/span port. Though, network taps > Span ports :) 2) Its not the IDS/IPS that is performing that capability, its the switch. So its inaccurate to ask if the IDS/IPS vendors you mentioned can do the same thing. A span port doesn't care whats hooked up to it, whether its Snort or a sniffer. Hope this helps. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 Fax: (847) 854-5106 Cell: (847) 456-6785 Web: www.appliedwatch.com Andrew Plato wrote:
If you create a mirror port and plug in any IPS/IDS, it will see the traffic. TippingPoint, ISS, etc. All can do that. Also, pretty much any decent managed switch can have mirror ports. This is not unique to Cisco. Keep in mind, you cannot do real-time IPS (intrusion prevention) in any reliable manner this way. You have to be IN-LINE to do real-time blocking and filtering. Passive monitoring off a mirror port only allows you to send RSTs to stop stuff, and that is not a very reliable
way to block bad stuff. ___________________________________ Andrew Plato, CISSP, CISM President/Principal Consultant Anitian Enterprise Security -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of trav_2 () hotmail com Sent: Monday, February 05, 2007 10:44 AM To: focus-ids () securityfocus com Subject: IPS and Trunking Cisco has a great feature where I can configure all traffic on a switch to go to a trunk port, plug in the IPS/IDS to the trunk port and see all traffic. Can other vendors, such as Sourcefire, TippingPoint, ISS do this? Thanks, ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campa ig n=intro_sfw to learn more. ---------------------------------------------------------------------- -- ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campa ign=intro_sfw to learn more. ---------------------------------------------------------------------- --
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFy6t31va6QYTV0EMRAuSkAJ4+1WTm+ugpOAK4Ghzv8ooYyFYi1gCfSC69 cXQfDMCJ7O14l+ZnE/lpTsY= =ego2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IPS and Trunking trav_2 (Feb 08)
- RE: IPS and Trunking Andrew Plato (Feb 08)
- Re: IPS and Trunking Eric Hines (Feb 08)
- Re: IPS and Trunking Gary Halleen (Feb 12)
- RE: IPS and Trunking John Coke (Feb 12)
- Re: IPS and Trunking Eric Hines (Feb 08)
- Re: IPS and Trunking Paul daSilva (Feb 08)
- Re: IPS and Trunking Jason (Feb 12)
- <Possible follow-ups>
- Re: IPS and Trunking levinson_k (Feb 08)
- RE: IPS and Trunking Andy Cuff (Feb 08)
- RE: IPS and Trunking Michaelson, Andrew J (Feb 12)
- RE: IPS and Trunking Chris Brown (Feb 12)
- RE: IPS and Trunking Luis Lopez Sanchez (Feb 13)
- Re: RE: IPS and Trunking vijay . upadhyaya (Feb 15)
- RE: IPS and Trunking Andrew Plato (Feb 08)