Firewall Wizards mailing list archives
RE: The devil's in the details
From: "Thomas Crowe" <thomas.crowe () bellsouth net>
Date: Tue, 13 Jul 1999 18:55:00 -0400
Matt; Almost all medium to high end switches that I have delt with have the facility to set up a span port (thats a cico term) for doing very much what you just said, sniffers and such. These switches can usually be configured and send / recieve or recieve only.
My problem is that a couple of my networks involve switches, which, as part of the new and improved security policy, will involve VLANs. I could throw the IDS on a hub with the firewall and connect that to the switch, but that doesn't do anything for internal threats (which are what is necessitating the VLANs.) Has anyone figured out a good way to set something like this up? Ideally, some switch manufacturer would have thought of this ahead of time, and made a port on the switch that dumped all the packets, but then you're dealing with packet loss unless that one port is significantly faster than the rest of the switch.
The possibility exists for packet loss primiarly in chasis based switches that use different media types ie FDDI, 100BaseTx, 1000BaseFx, etc.... Then you could be losing packets due to either to the switch engine not being able to handle packets per minute (ppm's) or the switch not being able to keep up with the layer 1/2 conversion.
I could try to figure out some policy based configuration, but I don't want to go buy a gigabit plane for each of my switches, and it doesn't sit right with me to depend on the switch management elements for the completeness of my security data.
Another consideration in general about switches, is to always get 'non-blocking' switches that way any packets that the switch processor can't keep up with simply gets flooded to all ports.
Any responses would be appreciated. -Matt
Thomas Crowe Production Network Systems Administrator
Current thread:
- The devil's in the details Matt Dunn (Jul 13)
- Re: The devil's in the details Paul V. Alukal (Jul 13)
- Re: The devil's in the details David Lang (Jul 13)
- Re: The devil's in the details Lance Spitzner (Jul 14)
- Re: The devil's in the details David Lang (Jul 14)
- Re: The devil's in the details Lance Spitzner (Jul 14)
- Re: The devil's in the details Technical Incursion Countermeasures (Jul 14)
- RE: The devil's in the details Thomas Crowe (Jul 14)
- RE: The devil's in the details Brian W. Laing (Jul 14)
- Re: The devil's in the details Security Administrator (Jul 14)
- <Possible follow-ups>
- Re: The devil's in the details czarcone (Jul 14)
- Re: The devil's in the details Tina Lamias (Jul 23)
- RE: The devil's in the details Kyle Starkey (Jul 14)
- Re: The devil's in the details czarcone (Jul 23)