RE: Understanding IDS & TAPS

["Nigel Clarke" <nigel () forever-networks com>]

To answer your networking questions, read "Interconnections" by Radia
Perlman.

A switch manages VLANs in software. Let's say you have a 20 port switch, and
you
need to create two VLANs. You could assign ports 1 - 10 to VLAN A and ports
11 - 15 to VLAN B.
The remaining ports could be saved for another VLAN.

This is not a good idea. There are exploits that allow a hacker to bypass
VLANS.

Let me know if this helps.


--
Nigel Clarke                 Forever Networks
Network Security Engineer    Consultant
*********www.forever-networks.com************

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Carleton,
Sam (SCI TW)
Sent: Wednesday, December 18, 2002 10:49 AM
To: 'twig les'; 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Understanding IDS & TAPS


Read theory?  Well, learning more about TCP/IP is on my hit list of things
to do.
So, if my understanding of your short answer is correct, you said:  The
switch either needs a port that all traffic goes to or it must be able to be
configured to sends packets from one port to another, based on MAC address.

Now Netgear has this switch FSM726S which is a "managed switch".  Is my
impression correct that a "managed switch" is one that can be configured to
send the packets from Port A's and Port B's ports to the IDS's port?
Where can I go to learn more about this networking stuff, primarily what a
managed switch is and what all one can do with it.  If my impression is
correct, one managed switch could be used to create multiple isolated
networks.  In other words, I am under that by configuring this Netgear
switch so that one set of ports are for the DMZ and another set of ports are
for the internal network, I could have one switch with two networks.  This
is apposed to having to have two physical switch's, one for the DMZ and one
for the internal network.
Oh, wait a second.  I just had a thought.  Does it HAVE to be a switch
between the TAP and the IDS?  Can I use a HUB?  The only reason I could see
a HUB being a problem is if a packet of info came in on both Port A & B at
the same time.
Sam

 -----Original Message-----
From:   twig les [mailto:twigles () yahoo com]
Sent:   Wednesday, December 18, 2002 12:54 PM
To:     Carleton, Sam (SCI TW); 'snort-users () lists sourceforge net'
Subject:        Re: [Snort-users] Understanding IDS & TAPS

Your questions span (pun!) more than the IDS field.
Pick up a good book on switches or at least something
that explains the OSI model.  As loath as I am to
recommend reading theory, it really applies.

A short answer is that switches forward packets out of
specific ports based on a table they keep.  The table
correlates MAC address<->port relationships.  To sniff
on a switch you need one of two things: a port that
the switch sends ALL traffic to, regardless of the
destination MAC, or a piece of software like Ettercap
that does massive ARP poisoning.  For multiple obvious
reasons you prolly want to stick to the former.

--- "Carleton, Sam (SCI TW)"
<Sam_Carleton_TW () stercomm com> wrote:
> Folks,
>
> I understand the IDS and TAPS, but not completely.
> The main thing is the
> physical hookup of the TAP to the IDS.  I don't
> understand the "100Mb IDS
> Tapping Diagram (with only 100bt span port)"
> diagram.  The switch being
> used, can it be any old switch or does it have to be
> something that is
> programmable?  What I don't understand is how the
> traffic gets through the
> switch.  How does the switch know where to send the
> packets which are coming
> in from the Port A and Port B?
>
> Sam
-------------------------------------------------------
> This SF.NET email is sponsored by: Order your
> Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control
> Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,
>  Smart Putty.
> T H I N K G E E K . C O M
> http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself

-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users