OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: RE: future of IDS

RE: future of IDS

Doug Hughes (dougEng.Auburn.EDU)
Sun, 18 Oct 1998 22:04:55 -0500 (CDT)

>
>Not an ignorant question...Definitely a problem in a fair number of cases.
>Question: does every machine on your net have it's own port on a hub? If
>so...then there is no easy answer. My general approach has been to have
>every port of a switch branch out to a hub(10 or 100MB depending on the
>machines on that segment), and have one port on each hub running back to a
>dedicated machine with as many NICs as necessary to monitor each segment. A
>possible alternative would depend on your machines runnning Windows(95, NT,
>or 98) , and using Microsoft's Network Monitor which can monitor traffic on
>a remote machine that has the network monitor agent installed.
>
>Two questions for this crowd:
>1) Anybody know of an equivalent remote packet dump/analysis program for
>unix?
What difference would there be between this and remotely logging into
the machine and running tcpdump or snoop or whatever? That would seem
to be more efficient than redirecting the entire packet stream back
along the channel you are using.

>2) With the reality of GB LAN networking nearing the mainstream, has
>anybody(switch vendor or other) speculated on having for example a 10/100MB
>switch that has a GB port that can spit out all traffic on all ports for
>monitoring? Would seem like an ideal solution for the security conscious.
>

I believe that most switch vendors do this already. I know that
both 3com and cisco support this on some if not all of their
switches. You select a port and replicate the traffic on it out
another port.

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:57 CDT