Intrusion Detection Systems mailing list archives
RE: RE: IDS taps in a switched network
From: dnewman () networktest com (David Newman)
Date: Fri, 29 Oct 1999 22:26:25 -0400
--Some switches have a "spy port" that allows traffic to beredirected. Thisis really no better than a monitor hanging off a single port,since only oneport at a time can be monitored.not true, on ciscos you can have a span port which is the "spy" port, but redirect entire VLANS to that port, not just traffic from one other port.
Um, the spy port is just ONE port. So what happens when I define a VLAN with, say, 24 ports and redirect all that traffic to one spy port? All those packets ain't gonna fit through that one little narrow doorway. ;-) 24:1 overloading is a somewhat extreme example, but the potential to miss packets exists anytime there is more than one port being redirected. Even in a 2:1 situation I may see only 50 percent of the traffic I'm supposedly monitoring. Monitoring means seeing the traffic -- all of it. dn
Current thread:
- Re: Comparison of several IDS Vin McLellan (Oct 26)
- Re: Comparison of several IDS Herve DEBAR (Oct 27)
- IDS taps in a switched network mark.gandy () dowcorning com (Oct 27)
- Re: IDS taps in a switched network Jackie Chan (Oct 27)
- RE: IDS taps in a switched network David Newman (Oct 28)
- Re: RE: IDS taps in a switched network R. Brockway (Oct 29)
- RE: RE: IDS taps in a switched network David Newman (Oct 29)
- RE: RE: IDS taps in a switched network Jackie Chan (Oct 30)
- RE: RE: IDS taps in a switched network David Newman (Oct 30)
- RE: RE: IDS taps in a switched network (The right tools for the job) Ron Gula (Oct 31)
- <Possible follow-ups>
- RE: Comparison of several IDS pcafarchio () icsa net (Oct 26)