Snort mailing list archives
Advice on the Network Infrastructure Side of IDS Design...
From: Mike Ahern <mc_ahern () yahoo com>
Date: Thu, 25 Apr 2002 09:45:50 -0700 (PDT)
A company I am working with is interested in deploying IDS throughout a globally distributed network, and may be interested in updating, reconfiguring, and/or replacing their network switches and similar hardware at the same time, at least in some locations. What LAN infrastructure hardware have you found best for monitoring key points on the network (points of ingress/egress), multiple resources (critical systems, wiring closet drops, etc.), in a highly switched environment? Are there switches for example that have the capability to copy data from selected ports to multiple monitor ports, or to a single higher speed port?? Any switches that have features that lend themselves to effective IDS monitoring? In large environments where you might have many hundreds of users on a switch, what is the best way to get visibility with systems like snort? Is there some unique approach or network design that you have benefitted from in implementing IDS in a larged switched environment? I am also concerned about using a traditional (single) monitor port on some small switches, since the IDS system could be pulled offline and the monitor port reconfigured anytime a network engineer came along and needed to use a network sniffer to track down some problem - leaving the IDS units offline, and effective management and logging somewhat klugey. Also in some instances I have tested, I would need two interfaces in the IDS system to do what I need to do (one for the monitor port and one to send network telemetry back to management systems). I am really interested in what your experience and recommendations are for this side of IDS network planning - and to benefit from your insight and firsthand experience selecting, implementing, and working with these systems on an ongoing basis from an IDS perspective. I have also heard about active devices that allow placement of IDS systems "receive only" with no transmit capability back out of the system, and kind of stealth the IDS on the net. Anybody used any of these?? Your advice is appreciated! If you feel that your answer is too long or too off-topic for this list, just email me back directly. Thanks! - Mike mc_ahern () yahoo com __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Advice on the Network Infrastructure Side of IDS Design... Mike Ahern (Apr 25)
- <Possible follow-ups>
- RE: Advice on the Network Infrastructure Side of IDS Design... counter . spy (Apr 25)