Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Switch TAP placement question.

From: Erek Adams <erek () snort org>
Date: Thu, 15 May 2003 13:31:36 -0400 (EDT)
On Thu, 15 May 2003, Brei, Matt wrote:


I have a bank of about 12 24 port switches.  All of the routers and
firewall are on the first switch, then the servers are on second and
third, then all workstations and printers are on the rest.  Where should
I place the tap so that Internet activity can be monitored as well as
compromise attempts against a server or router?  Should this go on the
router/firewall switch since it is the last switch before the "outside"
or should I use more then one tap?


Well...  It depends on how things are setup.

If you are setup like (and I'll guess you are)

[Internet]->[Router]->[1st Switch]->[Other Stuff]

Then you can't put an IDS in front of the [Router].  The router will take
the telco circuit and convert it into ethernet.  Since your IDS uses
ethernet to connect with, it can't actually read the telco circuit.

If you are setup like:
                                  +>[Router 2]->[Switch 2]
[Internet]->[Router 1]->[Switch 1]->[Router 3]->[Switch 3]
                                  +>[Router 4]->[Switch 4]

Then you could tap at between [Router 1] and [Switch 1].  That would give
you all traffic that came thru your uplink router.

You might want to have a look at some of the IDS placement diagrams on
Snort.org [0].  It might give you a bit better idea of how you could do
things.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]     http://www.snort.org/docs/#deploy


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: