Hosting Provided By

RE: about mirroring port

From: David Vertie <verticalrave(at)hotmail.com>
Date: Fri Mar 21 2003 - 00:47:20 EST

There are certain methods avaliable to handle the problem.

First however, I would recommend that you not try any 'mirroring' or 'port spanning' as they call it. This creates numerous problems within a network, and results in a bottleneck at the IDS. It also slows down the majority speed for users since traffic must be routed to its destination and to the IDS. On some Cisco routers, I believe that you can use a 'tap port', which allows you to connect a high-bandwidth (I believe it is optical) cable to the system that will allow you to route all the traffic from the switch down onto multiple IDSes (or one IDS if you have hardly any traffic). Usually with the muliple IDS distributed network theory, a hardware box breaks up traffic and sends it down to multiple boxes running IDS software (i.e. Snort), it is then filtered for any attempted intrusion attempts and logged in one or more databases.

Something special about the tap port also that I want to note, is that the tap port is a one-way connection, so it is just as secure as the special cable that people make to establish one-way connections to IDSes.

I'm not so certain about the commands on the cisco routers (i'm not too familiar with them right now), but I believe that you can find good references on Cisco itself. Or rather, books provide lots of information.

>From: "Rob Shein" <shoten@starpower.net>
>To: "'SB CH'" <chulmin2@hotmail.com>, <focus-ids@securityfocus.com>
>Subject: RE: about mirroring port
>Date: Tue, 18 Mar 2003 22:36:22 -0500
>
>Um...

MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71 Received on Mon Mar 24 00:03:51 2003

This message: [ Message body ]
Next message: Tarek Abbes: "Training IDS"
Previous message: Karel Chwistek: "Re: about mirroring port"
Maybe in reply to: SB CH: "about mirroring port"
In reply to Rob Shein: "RE: about mirroring port"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT