RE: Snort Help - Network IDS

["DeGennaro, Gregory" <Gregory_DeGennaro () csaa com>]

The tap would be the best method.

Another method would be this: 


servers-switch---|
servers-switch---|---Switch---Firewall
servers-switch---|     |
                             | Span Port (not spanning tree)
                             |          
                   IPS\IDS-System

Some span ports can support large amounts of traffic; therefore there is a
chance of packet loss to the IDS system.

You can also use a hub, however not recommended for Enterprise networks.

Of course, this is a source of failure which makes the tap even more luring
since the tap will fail open like Chris stated.

--Greg


> -----Original Message-----
> From: Jason Haith [mailto:jhaith () genesissys com] 
> Sent: Wednesday, April 14, 2004 10:22 PM
> To: securityfocus
> Subject: Snort Help - Network IDS
>
> Recently I posted a question on different types of monitoring 
> and ids setups. I have decided to go with snort and have been 
> using it on a smaller network with no problem. However now, I 
> need to move it to a production network which will consist of 
> around a 100 servers all linked through 3com switches and 
> going out through a watchgaurd firewall. I'm looking for 
> different ways to implement this without setting up another 
> single point of failure device which our firewall is. I'm not 
> confident enough yet to risk something like that. I haven't 
> found much information on packet sniffing when it comes to 
> multiple entry points, found some info on wiretap, etc. but 
> I've always received such great help on here I thought I 
> would ask before I decided on something. Would really 
> appreciate any help, I'm in a heck of a bind right now. Thanks.
>
>
> firewall
> |
> -3comswitch-servers
> -3comswitch-servers
> -3comswitch-servers
>
> ids?
>
>
> Jason Haith
> Systems Administrator
> Genesis Systems
> 5712 S. 77th St
> Omaha, NE 68127
> Phone: (402)592-1452
> Fax:   (402)592-3650
> Email: jhaith () genesissys com
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off any course! All of our class sizes are 
> guaranteed to be 10 students or less to facilitate one-on-one 
> interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art 
> hacking lab. Master the skills of an Ethical Hacker to better 
> assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------