Snort mailing list archives

RE: Configuring Cisco switches...

From: "Cessna, Michael" <MCessna () rtm com>
Date: Fri, 21 Sep 2001 11:24:30 -0400

I place high quality hubs inbetween my fw interfaces as shown:

ISP----cisco2611,T1/ethernet
Router--------HUB------FW-----HUB--------int.network
                                                     \-----HUB--------DMZ
By using a hub by definition you see every packet that all other ports see.
Since the only things I have hanging off of the hubs are the snort sensors
you get only a negligible performance degradation. Also set the IDS
interface to be a IP'less interface with a receive only cable than you don't
have to worry about it sending anything over the wire. Use a second
interface to connect into your internal network so that you can receive
alerts, get logs, look at acid reports , etc.
Remember that this only works well if you have no other nodes on the hub but
the ids. If you hang another node off the hub than you run into the problem
of a shared collision domain and then the performance degradation is not
negligible (depends on how much the new node pump out over the wire).
There is nothing wrong with hubs as long as you use them in the right
places.
Mike

-----Original Message-----
From: Gadrow, Jim [mailto:jgadrow () cincom com]
Sent: Friday, September 21, 2001 10:52 AM
To: 'Erek Adams'; Bryan Childs
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Configuring Cisco switches...



Shomiti taps run around $400 per tap, and you can rack mount them by the
dozen. My only problem with using that kind of a solution though is that I
don't think I can use flex-response if I'm using a tap or spanning a port. 

I have the same problem as Bryan, with a switched network. Any ideas for a
very cost-effective monitoring design or tools are more than welcome.

Jim


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Configuring Cisco switches... Bryan Childs (Sep 21)
- Re: Configuring Cisco switches... Erek Adams (Sep 21)
- Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- Re: Configuring Cisco switches... George D. Nincehelser (Sep 21)
- <Possible follow-ups>
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
  - RE: Configuring Cisco switches... Erek Adams (Sep 21)
  - RE: Configuring Cisco switches... Erek Adams (Sep 21)
  - Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- RE: Configuring Cisco switches... Gadrow, Jim (Sep 21)
- RE: Configuring Cisco switches... Joshua Wright (Sep 21)
- RE: Configuring Cisco switches... Cessna, Michael (Sep 21)
- RE: Configuring Cisco switches... Mayers, Philip J (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)