RE: Capturing network traffic and warning if its volume crosses a defined limit

["Curtis Duck" <ced () autoinc-usa com>]

I understand and do agree that if a hub acts like a switch it is a switch. Several vendors still devices labeled as 
Hubs that are now switches so I just wanted to bring that to his attention.


-----Original Message-----
From: Chris Warren [mailto:chris.warren () netelligent ca] 
Sent: Friday, December 02, 2011 1:20 PM
To: Curtis Duck
Cc: Pranav Lal; security-basics () securityfocus com; Ali Kapucu
Subject: Re: Capturing network traffic and warning if its volume crosses a defined limit

If a hub behaves like a switch, that makes it a switch, not a hub.  I guess I'll qualify it by saying a layer 1 hub.  
If you're already on a 100Mbit switch, and you use a 100Mbit hub, you'll be fine.

But +1 for the pfsense suggestion, and forget the hub.  Really easy to set up and will block traffic based on snort 
alerts.

----- Original Message -----
From: "Curtis Duck" <ced () autoinc-usa com>
To: "Ali Kapucu" <alikapucu () gmail com>
Cc: "Chris Warren" <chris.warren () netelligent ca>, "Pranav Lal" <pranav.lal () gmail com>, security-basics () 
securityfocus com
Sent: Friday, December 2, 2011 2:14:12 PM
Subject: Re: Capturing network traffic and warning if its volume crosses a defined limit


Remember that most hubs now do not function like the hubs of the old days and may act like a switch in isolating 
traffic. Also if there is more traffic than the port can handle there is potential to flood the port and traffic may be 
interrupted.

Curtis Duck
AutoInc
Systems Administrator

On Dec 2, 2011, at 12:53 PM, Ali Kapucu <alikapucu () gmail com> wrote:

> I recommend to use pfsense on this box. It has snort and other useful tools.
>
> Sent from my iPhone
>
> On Dec 2, 2011, at 12:34 PM, Chris Warren <chris.warren () netelligent ca> wrote:
>
> > With a relatively simple setup like this, it would be better to plug both the Exchange server, and your monitoring 
> > system, into a hub.  The hub's uplink can go to the existing switch.  This way, connectivity of the Exchange server 
> > does not depend on the monitoring system being online.
> >
> > However, your solution would probably be better if you want Snort to block traffic.  Snort can communicate with some 
> > firewalls to achieve this, but probably not the typical ISP modem/router.
> >
> > ----- Original Message -----
> > From: "Pranav Lal" <pranav.lal () gmail com>
> > To: security-basics () securityfocus com
> > Sent: Friday, December 2, 2011 12:14:43 PM
> > Subject: Capturing network traffic and warning if its volume crosses a defined limit
> >
> >
> > Hi all,
> >
> > A friend has been running his own Exchange 2003 enterprise server since
> > ages. Last week, his IP address got black listed since a lot of traffic
> > originated from his e-mail server. The ISP has blocked outbound port 25. He
> > has checked with Microsoft support and with TrendMicro and is talking to his
> > ISP too.  He wants something to monitor network traffic with and log
> > traffic. I have discussed some solutions with him. What do you think?
> > 1. For bandwidth monitoring, the only tool I know of is MRTG. There are
> > bound to be more but they monitor and not raise alerts.
> >
> > 2. Yes I did suggest a firewall appliance which will solve this problem.
> >
> > 3. However, he is also looking for an immediate fix. This is where my
> > current solution comes in. Before I go into the solution, let me explain his
> > network layout.
> >
> > (1) The ISP's modem router's Ethernet cable is plugged into a switch. I
> > suspect this switch is unmanaged and does not support mirroring.
> > (2). The Exchange server is plugged into the switch.
> > (3) I suspect the same holds true for other computers that is they are
> > plugged into the same switch.
> >
> > Now for the solution
> > A. He takes a computer with two LAN cards. Let us call them LC1 and LC2.
> > B. His ISP router goes into LC1.
> > C. The switch goes into LC2.
> > D. Snort with MySQL runs on this computer and logs traffic.
> >
> > My questions:
> > 1. Is there a better solution?
> > 2. Does he need to bridge the connections corresponding to lc1 and lc2? If
> > he does not do so, I do not see how he will get out to the Internet.
> > 3. Can I use snort or some other application to block all network traffic if
> > it exceeds a certain amount?
> >
> > Pranav
> >
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
> >
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
This message is intended only for the individual named. If you are not the named addressee you should not disseminate, 
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a 
result of e-mail transmission. If verification is required please request a hard-copy version.


This message is intended only for the individual named. If you are not the named addressee you should not disseminate, 
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a 
result of e-mail transmission. If verification is required please request a hard-copy version.


This message is intended only for the individual named. If you are not the named addressee you should not disseminate, 
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a 
result of e-mail transmission. If verification is required please request a hard-copy version.
This message is intended only for the individual named. If you are not the named addressee you should not disseminate, 
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a 
result of e-mail transmission. If verification is required please request a hard-copy version.