|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rob Shein (shoten_at_starpower.net)
Date: Wed Oct 02 2002 - 13:24:43 CDT
How do SPAN ports cause broadcast messages? As I know it in Cisco-land,
they're only capable of showing traffic, not receiving it. And how do
they cause network performance problems (assuming the switch isn't
overloaded on processing to begin with)?
And I don't see how changing an IDS wouldn't require unplugging cables
with a tap any less than it would with a switch...
-----Original Message-----
From: Orlando Diaz,TRI [mailto:ODiaz
tricom.com.do]
Sent: Wednesday, October 02, 2002 11:33 AM
To: jeflinuxbe.org; focus-idssecurityfocus.com
Subject: RE: Hub vs. Tap vs. SpanPort
I don't agree.
SpanPort cause a lot of broadcast messages and reduce network
performance. And(of course) you need an available port to span to. Tap's
give you a way to monitor the traffic without interrupt the network, you
don't need to unplug cables and disconnect the switch or servers anytime
you want to use a different sniffer or IDS; and tap's dont affect
network performance and are fault tolerant.
And like you say HUB's are a problem.
-----Original Message-----
From: Jean-Francois Dive [mailto:jeflinuxbe.org]
Sent: Tuesday, October 01, 2002 6:34 PM
To: focus-idssecurityfocus.com
Subject: Re: Hub vs. Tap vs. SpanPort
Hub: the most easy bit, but does not fit in most environement due to the
lack of hub , adding one beeing somehow seen as a problem (hardware
quality, etc..etc..).
Tap: An easy way to the do, but may be expensive in certain case and may
need a shutdown of the network when setting up and is not very easy to
move, change the traffic beeing monitored.
SpanPort: clearly the most easy and flexible solution, but need to be
used smoothly as it could kill your switch.It however give you the great
possibility to change the traffic beeing monitored.
(tip: on a cisco catalyst, use spanport and set the port as a trunk: you
have the vlan tags on the packet as well, which is cool for traffic
repartition and analysis, this at least used to work on a 5500 when i
tested it a year ago).
Jochen Vogel wrote:
> hi,
>
> what are the pros and cons between capturing on an Hub, Tap or
> SpanPort?
>
> thx for infos
> Jo
>
#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]