Re: The devil's in the details

[Technical Incursion Countermeasures <lists () ticm com>]

> Has anyone figured out a good way to set something like this up? Ideally,
> some switch manufacturer would have thought of this ahead of time, and made
> a port on the switch that dumped all the packets, but then you're dealing
> with packet loss unless that one port is significantly faster than the rest
> of the switch. I could try to figure out some policy based configuration,
> but I don't want to go buy a gigabit plane for each of my switches, and it
> doesn't sit right with me to depend on the switch management elements for
> the completeness of my security data.

Hi Matt...

yep its not an easy one... but most good switches should have a port that
can be set to promiscuous mode - it should be able to keep up - YMMV..

On the other hand you might want to look at the underlying corporate
culture if there is a high risk of internal attacks... are the previous
incidents to justify the costs? Risk Analysis is always a very good tool
here..

good luck!

Cheers,

Bret


Technical Incursion Countermeasures 
consulting () TICM COM                      http://www.ticm.com/
ph: (+61)(041) 4411 149(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security Call for papers Vol 3 Issue 2 
http://www.ticm.com/info/insider/index.html