OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS on switch with multiple VLANs
From: Drew Simonis (dsimonisFIDERUS.COM)
Date: Thu Nov 02 2000 - 10:04:53 CST

"Kim R. Suszczewicz" wrote:
>
> I am in a similar situation as Michael. Our 8,000 node network has slowly
> migrated to a VLAN switched network with different subnets on each switch.
> The internal sensor traffic has dwindled to a minimal level to only traffic
> that hits back of our firewall. So now the internal sensor doesn't 'see'
> the VLAN to VLAN traffic or traffic within a VLAN. It would seem to be cost
> prohibitive to try and explain to the customer that they need an IDS sensor
> on each switch. So I too would be interested in any other VLAN technical
> solutions or success stories.
>

Cisco makes a version of their IDS that fits into a slot on the
Cat switch, if you are using that. It monitors traffic on the
backplane, so there is no need for SPAN ports, and no worries
about multiple VLANs. Other than this product, which I think presently
only works with Cat6000s, I don't know of any other switch friendly
IDS out there.

(If you don't mind multiple IDS, I guess you could use something
that tapped the wire instead of plugged into the port on the switch
directly. Dragon (Security Wizards makes it, IIRC) uses an
ethernet tap to gather data, so it works well in a switched network
as well)