Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ethernet Tap vs Span Port

From: Wes Young <wcyoung () buffalo edu>
Date: Tue, 11 Jan 2005 09:25:57 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It just depends on how much traffic your switch see's. Spanning it def
takes up some resources, so idealy a tap would be the way to go. We use
netoptics, and they seem to do a good job (although we use their fiber
taps, not the 10/100's). Best thing you can do is try out the spanning
port and monitor your stats, if your switch starts to fail, get a tap.

Depending on the size of the network, I used to use a small hub
inbetween the fw and core switch on 10/100's and it seems to work just
as well, especially if you are only working with a single LAN, or a
small switch you have laying around that can be just used for spanning
out the traffic to offload the gw. (Simple techniques, if you already
have the resources).

Victor.Correia () international gc ca wrote:
| Hi All,
|
| I'm currently in the process of implementing Snort. I was wondering
| witch of the TAP or Span port was best route to go.
|
| For the TAP I'm looking at these 2: Critical TAP System NCT3C1 and Net
| Optics 96443 - 10/100 Port Aggregator Tap
|
| Does any of you used one of those? Are they good?
|
| For the spanning port, I was thinking of monitoring the gateway port
| from my core switch to the firewall. I'm a bit concern about spanning
| port, since the switch must duplicate all the incoming and outgoing
| traffic of the switch, could that cause the switch to fail? the switch I
| want to use for that is a Cisco 2950.
|
| Which of these option is the best one to implement Snort on a network to
| monitor only the LAN.
|
| Thank for your input.
|
| Vic

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFB4+H1zLe0Tk6uDXYRAocuAKDCJfX+Rm7+b3kKy5fIoqjNEJmBvgCgh8Xr
3RywnqB0U5Lh96SU5lETYP8=
=GoW3
-----END PGP SIGNATURE-----



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: