OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Baeder, Jason (GEIO) (Jason.BaederGEIO.GE.COM)
Date: Thu Apr 19 2001 - 11:43:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Joe,

    I had considered hubs -- very cost effective. But hubs are not ideal for
    this application because of the potential for packet collision. In this
    case only a switch will do (to preserve the integrity of the data). So
    having decided on multiple switches, I've started to survey lower-end
    switches. So far I have found that the Cisco Catalyst 1900 meets the
    necessary criteria: it allows mirroring of more than one port to the span
    port. (In contrast, a 3Com Superstack II only allows on port to mirrored to
    the span port).

    Thanks for your input.

    JB

    GE Information Services, Inc.
    __________________________________________________
    Jason Baeder
    Information Security Analyst
    Phone: (301) 340-5074 Fax: 301-340-4639
    Internet Email: jason.baedergeio.ge.com
    100 Edison Park Drive, 2-3B1, Gaithersburg, MD 20878

    -----Original Message-----
    From: Joe Hamelin [mailto:joenethead.com]
    Sent: Wednesday, April 18, 2001 6:07 PM
    To: Baeder, Jason (GEIO)
    Cc: FOCUS-IDSSECURITYFOCUS.COM
    Subject: Re: Which switch for multiple IDS sensors?

    That or get a case of cheap 4 port hubs and use them to tap in
    betweent each host and switch port. If you're talking under about 6
    hosts, that may be more cost effective. 

    --
 ------------------------------------------------------------------
|     Joe Hamelin  <joenethead.com>  Edmonds, Washington, US      |
|              Senior Network Engineer, Amazon.com                 |
 ------------------------------------------------------------------

    On Wed, 18 Apr 2001, Baeder, Jason (GEIO) wrote:

    :Joe,
:
:Thanks for the reply.  Yes, I know about spanning.  Problem is that most
:switches only allow one span: mirror one port to one port, or mirror one
:VLAN to one port.  Higher end Cisco Catalysts allow up to two span
sessions.
:What the TopLayer Appswitch can do -- that which I would like to find in a
:lower cost switch -- is multiple span sessons.
:
:Here's a crude drawing to clarify:
:
:
:  T1 T1    T2 T2 T3 T3    T4 T4
:|----------------------------------------|
:| P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 |
:|________________________________________|
:   |-|->S1  |--|--|--|>S2  |--|-->S3
:
:T1 = Tap 1 inputs to switch
:P1/2 = Ports 1 and 2 on the switch, mirrored to Port 3
:S1 = IDS Sensor #1
:
:...and so on.
:
:But if it turns out that I can't do this with any switch other than
:TopLayer, then it apears to be more cost effective to buy a switch for each
:tap+sensor team.
:
:JB
:
:GE Information Services, Inc.
:__________________________________________________
:Jason Baeder
:Information Security Analyst
:Phone: (301) 340-5074 Fax: 301-340-4639
:Internet Email: jason.baedergeio.ge.com
:100  Edison Park Drive, 2-3B1, Gaithersburg, MD 20878
:
:
:
:
:
:
:
:
:
:
:
:-----Original Message-----
:From: Joe Hamelin [mailto:joenethead.com]
:Sent: Wednesday, April 18, 2001 4:29 PM
:To: Baeder, Jason (GEIO)
:Cc: FOCUS-IDSSECURITYFOCUS.COM
:Subject: Re: Which switch for multiple IDS sensors?
:
:
:
:Most switches do... Cisco calls it spanning and top of the line
:switches will also do RSPAN (remote span, listen to a port on another
:switch and VTP it to the switch the monitor box is on.)
:
:-Joe
:
:--
: ------------------------------------------------------------------
:|     Joe Hamelin  <joenethead.com>  Edmonds, Washington, US      |
:|              Senior Network Engineer, Amazon.com                 |
: ------------------------------------------------------------------
: