Snort mailing list archives
Re: Switch TAP placement question.
From: Erek Adams <erek () snort org>
Date: Thu, 15 May 2003 13:31:36 -0400 (EDT)
On Thu, 15 May 2003, Brei, Matt wrote:
I have a bank of about 12 24 port switches. All of the routers and firewall are on the first switch, then the servers are on second and third, then all workstations and printers are on the rest. Where should I place the tap so that Internet activity can be monitored as well as compromise attempts against a server or router? Should this go on the router/firewall switch since it is the last switch before the "outside" or should I use more then one tap?
Well... It depends on how things are setup. If you are setup like (and I'll guess you are) [Internet]->[Router]->[1st Switch]->[Other Stuff] Then you can't put an IDS in front of the [Router]. The router will take the telco circuit and convert it into ethernet. Since your IDS uses ethernet to connect with, it can't actually read the telco circuit. If you are setup like: +>[Router 2]->[Switch 2] [Internet]->[Router 1]->[Switch 1]->[Router 3]->[Switch 3] +>[Router 4]->[Switch 4] Then you could tap at between [Router 1] and [Switch 1]. That would give you all traffic that came thru your uplink router. You might want to have a look at some of the IDS placement diagrams on Snort.org [0]. It might give you a bit better idea of how you could do things. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.snort.org/docs/#deploy ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Switch TAP placement question. Brei, Matt (May 15)
- Re: Switch TAP placement question. Erek Adams (May 15)