IDS mailing list archives

RE: IPS and Trunking

From: "Andy Cuff" <lists () securitywizardry com>
Date: Thu, 8 Feb 2007 20:51:24 -0000

Hi Trav,
Put this together a while back to detail how to do this with a number of
vendor switches
http://www.securitywizardry.com/switch.htm
The advent of switched networks resulted in Network IDS having great
difficulty in promiscuously monitoring their networks. This was overcome by
configuring a switch to replicate the data from all ports or VLAN's onto a
single port.  This function has a multitude of names including; Port
Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port.
Generally Port Mirroring usually indicates the ability to copy the traffic
from a single port to a mirror port but disallows any type of bidirectional
traffic on the port.
Spanning Port usually indicates the ability to copy traffic from all the
ports to a single port but also typically disallows bidirectional traffic on
the port. In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some
switches do not allow SPAN ports to transmit packets, this is an issue if
you wish to use IDS TCP countermeasures such as resets.  It may also be
worth looking at Network Taps which allow you to tap into a network, taking
a parallel feed for the Network IDS

Regards

Andy Cuff
Managing Director / CEO
Computer Network Defence Ltd
www.SecurityWizardry.com
Tel 0870 321 9014
Mob 0701 070 9014
International +44 1225 811777

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of trav_2 () hotmail com
Sent: 08 February 2007 18:04
To: focus-ids () securityfocus com
Subject: IPS and Trunking

Cisco has a great feature where I can configure all traffic 
on a switch to go to a trunk port, plug in the IPS/IDS to the 
trunk port and see all traffic. Can other vendors, such as 
Sourcefire, TippingPoint, ISS do this?

Thanks,

--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw
to learn more.
--------------------------------------------------------------
----------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

IPS and Trunking trav_2 (Feb 08)
- RE: IPS and Trunking Andrew Plato (Feb 08)
  - Re: IPS and Trunking Eric Hines (Feb 08)
    - Re: IPS and Trunking Gary Halleen (Feb 12)
  - RE: IPS and Trunking John Coke (Feb 12)
- Re: IPS and Trunking Paul daSilva (Feb 08)
- Re: IPS and Trunking Jason (Feb 12)
- <Possible follow-ups>
- Re: IPS and Trunking levinson_k (Feb 08)
- RE: IPS and Trunking Andy Cuff (Feb 08)
- RE: IPS and Trunking Michaelson, Andrew J (Feb 12)
- RE: IPS and Trunking Chris Brown (Feb 12)
- RE: IPS and Trunking Luis Lopez Sanchez (Feb 13)
- Re: RE: IPS and Trunking vijay . upadhyaya (Feb 15)