heavily switched networks

[Russell Fulton <r.fulton () auckland ac nz>]

> Message: 1
> From: Stewart Larsen <slarsen42 () cfl rr com>
> To: snort-users () lists sourceforge net
> Date: Tue, 23 Dec 2003 21:38:33 -0500
> Subject: [Snort-users] heavily switched networks
>
> I've looked into this ad can't seem to find an answer I like. Perhaps
> I'm asking the wrong question.
>
> Suppose I have a network consisting of a gateway which goes into a
> firewall.  The connection from the firewall goes into a switch which
> leads to another level of switches. some of these machines are servers,
> some are workstations. None of the switches have port mirroring (SPAN
> ports).

Without port mirroring you are pretty well stuffed :(  Your best bet is
probably to run snort on each of your servers but the additional CPU
load may not be acceptable.  

Long term, persuade your company to invest in network infrastructure
that facilitates monitoring, eg switches with multiple span ports.  They
are not that much more expensive. 
-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users