Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: using a tap

From: "Altrock, Jens" <Jens.Altrock () STADT-NW DE>
Date: Sun, 13 Jun 2004 11:18:30 +0200
Thanks for the help, forgot to add the os, am using RedHat though. 
I'll go through that site you told me, seems to be interesting though. :)

-----Ursprüngliche Nachricht-----
Von: Michael Boman [mailto:michael.boman () boseco com]
Gesendet: Freitag, 11. Juni 2004 08:20
An: Altrock, Jens
Cc: Snort-Users (E-Mail)
Betreff: Re: [Snort-users] using a tap


On Fri, 2004-06-11 at 13:41, Altrock, Jens wrote:

hi there,
we're thinking about buying a tap too, but there are some questions that I
need to be answered before:

1. Taps use to channels to get the traffic to the monitoring device (one

for

RX and one for TX). How do I "bond" these channels 
together, if I do need to do that?


Please state your operating system. With Linux you do 'ifenslave', and
if you use a RedHat based distribution
http://www.linuxgazette.com/node/view/8937 might be of help.


2. It is a security violation when using a Sensor connected to the Tap and
(!) to the internal net (with IP), but it is needed anyway for updating
rules and 
other issues. Is it anyway reliable? 


The tap is a read only connection, and you need a way to:
a) View the alerts
b) Update the signatures

which usually mean one more cable to a special analyst LAN (or your
local LAN, depending how much money you have to spend..). You can have
an semi air-gapped NIDS sensor, where the only connection is the TAP. If
you are in that situation You have to use the plain ol' sneaker net to
transfer signature updates (hint: a USB thumb drive stores bigger files
and are more reliable then the old 3.5" floppies). For system updates:
well, they do 1 GB thumb drives now days..

Also, in those circumstances you (should) have a different PC just
beside it to do the lookups and signature research. Won't be as
effective, but it is doable.. So far I have only seen military
installations of this kind, but what-ever floats your boat...

And when it comes to reliability of the setup: as long as you don't
transfer data from the sensor to the internal network you don't expose
the LAN to any additional dangers..

Best regards
 Michael Boman

-- 
Michael Boman <michael.boman () boseco com>
BOSECO Internet Security Solutions - http://www.boseco.com
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the

one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: