Snort mailing list archives
RE: switch
From: counter.spy () gmx de
Date: Wed, 15 May 2002 18:45:49 +0200 (MEST)
*sigh* Maybe someone could add this to the FAQ, since I am getting somehow bored with this switching, tapping, full-duplex, port mirroring, datastreams merging and stateful inspection stuff ;) Already in the FAQ: Q: I'm on a switched network, can I still use Snort? A: Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. Extended version: A: There are several ways of deploying NIDS in switched environments which all have their pros and cons. Which method applies to your needs depends on what kind of segments you want to monitor and on your budget. Here are the most common methods: method 1) -if the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. pros: -Simple method, works with most decent switches. drawbacks: -if the switch is a fast ethernet switch, you can mirror 100Mbit/s max. Since each switchport is capable of handling 100Mbit/s for each direction, the banwidth per port sums up to 200Mbit/s, so the switch will not be able to mirror all packets at high network utilization. Another drawback is the fact, that some switches suffer from performance degradation through port mirroring. method 2) -inserting a hub in line, so you can simply tap all traffic off the hub. pros: Simple method -No impact on switch performance and no need for special configuration drawbacks: -loss of full-duplex capabilities -additional single point of failure method 3) -using network taps (such as those of shomiti/finisar and netoptics) pros: -no impact on switch performance and no need for special configuration -stealth, ie sending data back to the switch (by the NIDS) is physically prevented -no single point of failure, the tap is "fail-open" so that the productive link is not interrupted if the power of the tap fails drawbacks: -the datastream is split into TX and RX, so you need two interface (NICs) on the NIDS for each monitored switchport. -the two datastreams have to be recombined, ie merged, if you don't want to lose the capability of doing stateful analysis. This can be achieved by using channel bonding (http://sourceforge.net/projects/bonding). method 4) -tapping all switchports (using the forementioned network taps) but only tapping all incoming packets (RX lines of the switchports), connecting those tap ports to a dedicated gigabit switch, which is capable of mirroring up to ten RX taplines to one single dedicated gigabit port, which is connected to a gigabit IDS machine. See also attached picture (may be copied and distributed for non commercial purposes only ;-) pros: -this method is elegant if you want achieve maximum coverage (ie monitor all switchports) -no performance degradation of the productive switch -stealth -no need for special configuration of the productive switch drawbacks: -rather expensive method, so it will probably only pay for e-commerce applications and high security segments -the NIDS machine has to be capable of handling gigabit datastreams All this stuff is also discussed in my diploma thesis, which is now ready. I will derive a technical paper, written in english, that will also treat this topic. The paper will appear in september, for all those who are interested. Where, I do not yet know for sure (maybe on snort.org?) ;) Hope that helps and reduces need for such question in the future :) Greetings, Detmar Liesen -------------original message---------------------
Hi Everybody, On Snort FAQ Q: I'm on a switched network, can I still use Snort? A: Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. I recently installed netgear Model FS 524. Does my switch capable of mirroring the traffic? Does anyone knows or HOWTO. I want to learn about this. Your help is highly appreciated. Thanks brother in snort
-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Current thread:
- switch Alwin Raymundo (May 15)
- Re: switch Edin Dizdarevic (May 15)
- <Possible follow-ups>
- RE: switch Don McEachern (May 15)
- Re: switch Leigh David Heyman (May 15)
- RE: switch counter . spy (May 15)