[Snort-users] heavily switched networks
slarsen42 at ...1457...
Wed Dec 24 07:26:04 EST 2003
Well, you tell me. As a network admin in charge of security, should I
be worried about intra-network traffic?
Would I be better off running a host-based IDS like tripwire on the
servers I care about and only sniffing the uplink?
This is all theoretical, BTW. But I'm researching for future
On Wed, 2003-12-24 at 10:21, Erek Adams wrote:
> On Wed, 24 Dec 2003, Stewart Larsen wrote:
> > right, but where would you tap.
> > Let's assume that I have the gateway and firewall set up going into a 16
> > port switch. We'll call this switch switch:0. Each port on switch:0 goes
> > to another 16 port switch. We'll call these switch:1 through switch:16.
> > I now have a nicely divided network with 16 segments of 16 computers
> > each. That allows me to have 256 computers on my network.
> > How do I effectively monitor traffic within each segment without a
> > switch that supports SPAN? Do I need to sniff on 256 different wires?
> > or am I missing some fundamental insight here?
> Do you care about network <-> network traffic? If not, then just sniff
> your uplink. Sniff the pipe from the FW to switch:0 and you catch all the
> traffic coming into your network, no matter how many segments you have.
> Erek Adams
> "When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users