IDS mailing list archives
RE: IPS and Trunking
From: "Andy Cuff" <lists () securitywizardry com>
Date: Thu, 8 Feb 2007 20:51:24 -0000
Hi Trav, Put this together a while back to detail how to do this with a number of vendor switches http://www.securitywizardry.com/switch.htm The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN's onto a single port. This function has a multitude of names including; Port Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port. Generally Port Mirroring usually indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port. Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port. In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets. It may also be worth looking at Network Taps which allow you to tap into a network, taking a parallel feed for the Network IDS Regards Andy Cuff Managing Director / CEO Computer Network Defence Ltd www.SecurityWizardry.com Tel 0870 321 9014 Mob 0701 070 9014 International +44 1225 811777
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of trav_2 () hotmail com Sent: 08 February 2007 18:04 To: focus-ids () securityfocus com Subject: IPS and Trunking Cisco has a great feature where I can configure all traffic on a switch to go to a trunk port, plug in the IPS/IDS to the trunk port and see all traffic. Can other vendors, such as Sourcefire, TippingPoint, ISS do this? Thanks, -------------------------------------------------------------- ---------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impa ct&campaign=intro_sfw to learn more. -------------------------------------------------------------- ----------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IPS and Trunking trav_2 (Feb 08)
- RE: IPS and Trunking Andrew Plato (Feb 08)
- Re: IPS and Trunking Eric Hines (Feb 08)
- Re: IPS and Trunking Gary Halleen (Feb 12)
- RE: IPS and Trunking John Coke (Feb 12)
- Re: IPS and Trunking Eric Hines (Feb 08)
- Re: IPS and Trunking Paul daSilva (Feb 08)
- Re: IPS and Trunking Jason (Feb 12)
- <Possible follow-ups>
- Re: IPS and Trunking levinson_k (Feb 08)
- RE: IPS and Trunking Andy Cuff (Feb 08)
- RE: IPS and Trunking Michaelson, Andrew J (Feb 12)
- RE: IPS and Trunking Chris Brown (Feb 12)
- RE: IPS and Trunking Luis Lopez Sanchez (Feb 13)
- Re: RE: IPS and Trunking vijay . upadhyaya (Feb 15)
- RE: IPS and Trunking Andrew Plato (Feb 08)