<snip>
>You know another technical way for solving this
>problem or exist another product like from Shomiti or
>NetOptics with support for multi port taps for
>100BaseTX AND multiple analyse ports ?
<snip>

One other way to do it is by using ACL based mirroring. I don't know if any other vendors support it, but the Enterasys Matrix/Cabletron SSR series do it quite nicely. Basically you specify a quad(or a piece of a quad) [quad being source/dest. IPs and ports] and provide a destination/monitor port and any traffic that matches the quad specs goes to the switch. For example, if you specified something like:

SIP DIP S.PORT D.PORT --> Monitor Port
any any any 80 --> gigE.port

any traffic (on ANY port on that switch) destined for port 80 will go to the gigE.port where your IDS is sitting. It's really a protocol based mirror as opposed to a port based mirror. You can make the ACL as complex as you like, but be prepared for a performance hit if you get too aggressive.

DISCLAIMER: I work for Enterasys. ;)

S. festus

Blame is for God and small children.
Dega/"Papillon"

___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]