Intrusion Detection Systems mailing list archives

Re: Fwd: Re: Carrier/ISP Success Stories?

From: mht () clark net
Date: Tue, 25 Jul 2000 16:08:49 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
At 10:44 AM 7/25/00 -0400, Ron Gula wrote:

Archive: http://msgs.securepoint.com/ids


Ron,

Are you saying you have installed Dragon Systems for FreeBSD on an ATMbackbone and have successfully kept up with the network traffic?

If so,

How many Frames were processed??
How many Frames were dropped?
TCP Segments detected:?
UDP Datagrams detected:?
ICMP Datagrams detected:?
Others:?
Events Detected:
Unreported:
Invalid Frames:?

Spanning a Catalyst 5500 Switch requires some reconfiguration by the ISPsupport type people to get the port configured properly, that stillrequires some level of knowledge than most NOC monkeys...

>On Mon, 24 Jul 2000, Robert Graham wrote:
>> One problem for which I'm looking for a solution is finding how to tap
into the
>> network in order to see the traffic. With Ethernet, it's easy: simply
attach to
>> a span/mirror/monitor port on the switch or use a full-duplex tap for
>> connections between switches. However, lots of ISPs use an ATM fabric
for their
>> backbones. I still don't know of any good solutions for tapping into
this. Does
>> aanybody have any ideas/success-stories?

We have a version of Dragon for FreeBSD 'working' on ATM although it is not in
production from NSW yet. The toughest part was getting the right ATM cards.
I think
long term, convincing some network guys to drop in an optical splitter into
an OC-3
or OC-12 link will be difficult. If you have a good switch, then spanning a
port
(like in a 5500) may work, but it places a load on the box which is not
needed.
Hardware accelerated switched like those from Alcatel or Cabletron could
help if
you are not a Cisco shop.

Ron Gula
Network Security Wizards

Current thread:

Carrier/ISP Success Stories? Nicholas Brawn (Jul 24)
- <Possible follow-ups>
- Re: Carrier/ISP Success Stories? Robert Graham (Jul 24)
- Fwd: Re: Carrier/ISP Success Stories? Dragos Ruiu (Jul 25)
  - Re: Fwd: Re: Carrier/ISP Success Stories? Ron Gula (Jul 25)
    - Re: Fwd: Re: Carrier/ISP Success Stories? mht (Jul 26)
    - Re: Fwd: Re: Carrier/ISP Success Stories? Dragos Ruiu (Jul 26)
    - Re: Fwd: Re: Carrier/ISP Success Stories? Mark Teicher (Jul 26)