RE: Capturing network traffic and warning if its volume crosses a defined limit

["Pranav Lal" <pranav.lal () gmail com>]

Hi Phyco,

The switch is an unmanaged switch and does not support mirroring.

Pranav

-----Original Message-----
From: phyco.rootelement phyco.rootelement
[mailto:phyco.rootelement () gmail com] 
Sent: Saturday, December 03, 2011 7:21 AM
To: Pranav Lal
Cc: security-basics () securityfocus com
Subject: Re: Capturing network traffic and warning if its volume crosses a
defined limit

Having netflow on switch span would be a great iidea 
On Dec 2, 2011 10:47 PM, "Pranav Lal" <pranav.lal () gmail com> wrote:
> Hi all,
>
> A friend has been running his own Exchange 2003 enterprise server since
> ages. Last week, his IP address got black listed since a lot of traffic
> originated from his e-mail server. The ISP has blocked outbound port 25.
He
> has checked with Microsoft support and with TrendMicro and is talking to
his
> ISP too.  He wants something to monitor network traffic with and log
> traffic. I have discussed some solutions with him. What do you think?
> 1. For bandwidth monitoring, the only tool I know of is MRTG. There are
> bound to be more but they monitor and not raise alerts.
>
> 2. Yes I did suggest a firewall appliance which will solve this problem.
>
> 3. However, he is also looking for an immediate fix. This is where my
> current solution comes in. Before I go into the solution, let me explain
his
> network layout.
>
> (1) The ISP's modem router's Ethernet cable is plugged into a switch. I
> suspect this switch is unmanaged and does not support mirroring.
> (2). The Exchange server is plugged into the switch.
> (3) I suspect the same holds true for other computers that is they are
> plugged into the same switch.
>
> Now for the solution
> A. He takes a computer with two LAN cards. Let us call them LC1 and LC2.
> B. His ISP router goes into LC1.
> C. The switch goes into LC2.
> D. Snort with MySQL runs on this computer and logs traffic.
>
> My questions:
> 1. Is there a better solution?
> 2. Does he need to bridge the connections corresponding to lc1 and lc2? If
> he does not do so, I do not see how he will get out to the Internet.
> 3. Can I use snort or some other application to block all network traffic
if
> it exceeds a certain amount?
>
> Pranav
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
> ------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------