|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches
From: Leonardo Castex (lcastex
security.cl)
Date: Thu Mar 20 2003 - 15:10:30 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
HI:
It's dependt on the IOS running in your Cisco, but we user port monitor
without any problem.
-----Mensaje original-----
De: Jones, Jeff [mailto:Jeffrey.Jonesusfc.com]
Enviado el: Jueves, 20 de Marzo de 2003 12:46
Para: 'Paul Van Gurp'; issforumiss.net
Asunto: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches
One Major problem I have come across is switches running IOS instead of
CatOS
CatOS span can only receive it can not transmit, it does what it calls
Monitor.
-----Original Message-----
From: Paul Van Gurp [mailto:Paul.VanGurppwgsc.gc.ca]
Sent: Thursday, March 20, 2003 9:22 AM
To: issforumiss.net
Subject: [ISSForum] SPAN port for IDS monitoring - Cisco switches
Hi all.
I am not a network specialist by any means so please be gentle. I am
currently attempting to deploy network sensors throughout our
infrastructure. Since we have a switched environment, I have 2 options
(that I am aware of):
* use the SPAN port of a switch for a network IDS
* use network taps.
Many of our switches have several internal interfaces that I would like
to monitor...i.e. one switch will be used for traffic destined for 8
different networks. I would like to be able to plug an IDS into the
SPAN port of the switch and get the networking people to configure the
SPAN port to accept traffic from port 1, 3, and 8 for example because
those are critical network segments. This would allow my IDS to monitor
all 3 of those ports at the same time. The network guys say this is not
possible and I can only span one port on the switch to the SPAN port.
This means using the SPAN port is out of the question for our
environment. I went to the Cisco site and it seems that the switches
are capable of doing what I want, so I am confused.
Question 1: Who is right...i.e. can a SPAN port monitor traffic over
multiple incoming/outgoing ports on a single switch? If not then why
not? Question 2: If the network guys are right then why is the SPAN
port a widely used method of deploying network IDS? Question 3: If the
network guys are right, what other options are open to me...I mentioned
taps but don't I run into the same issues...1 tap for 1 network segment
and so in my example above, I would require 8 taps for the switch with 8
ports.
Thanks in advance.
Paul
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]