TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Good morning,

Good setup. There are several problems here. You are talking about segments?
Not Vlans?
Well, that's the main issue here.

First of all, RS theoretically will handle 100. If the aggregated traffic
for all the switches is more than 100, packets will be dropped.

Second, you will need to define a span port (Span/monitor... Also make sure
it's bi-directional otherwise Kill actions will not work) on each switch and
copy the traffic of each port on that switch to that port.

At this point you will need another switch where you will connect all this 5
spans ports from each of your five switches. Again on that switch you will
need to have a span port to copy the traffic from these 5 ports to the
defined port. RealSecure Network Sensor will be than plugged in that port to
get all the traffic from the 5 switches.

You do not need to cut anything. Setup your monitoring card on the
RealSecure Sensor to be promiscuous. That way there is no path from the
sensor to the Switch from that interface (No IP connectivity).

I the case of VLANs this configuration will be different since you cannot
define span port across. If you are using "trunks", in that case the trunk
port will be your target.

Please let me know if I misunderstood your scenario than we can discuss
possible config.

P.S: why not use the feature in RealSecure that allows you to manage several
network segments from one single IDS machine (This will work well on
NT/2000...On Sun Solaris, it will work better with 2 segments only)

Best.

Cleo

-----Original Message-----
From: andres.friedlich.pwcglobal.com
[mailto:andres.friedlich.pwcglobal.com]
Sent: Monday, April 15, 2002 12:29 AM
To: issforumiss.net
Subject: How to merge several switched LAN segments

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

Hi there

I am looking for a trick to merge the traffic of about 5 switched Fast
Ethernet LAN segments together in order to monitor the total traffic with
only one RS Network Sensor. Most of the LAN segments are on different
physical switches (DMZ, RAS, WAN Segments), but in the same physical
location.
All links are Full-Duplex - and we would like to keep that up to the IDS
Interface (to prevent packet loss due to collisions).
All this traffic should then be collected on a single 'IDS-Switch', which
then mirrors all the incoming segments/traffic to the IDS interface port.

As this IDS switch (Cisco 2924) does not support *unidirectional* port
mirroring (SPAN), we need another solution to prevent the mix-up or
backflow of traffic to the source switches (also for security reasons).
I've heard something about cutting the TX lines in the Twistet-Pair patch
cables that lead to the IDS switch, to prevent the back-flow of traffic.
Has anyone done this already, and if so, how do I trick the switch to keep
the port 'up', despite the cut TX line?
Any other ideas or tricks to merge multiple switched LAN segments onto the
IDS network interface?

Many thanks!
Andres

----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]