[Snort-users] heavily switched networks

Stewart Larsen slarsen42 at ...1457...
Wed Dec 24 07:26:04 EST 2003

Well, you tell me.  As a network admin in charge of security, should I
be worried about intra-network traffic? 

Would I be better off running a host-based IDS like tripwire on the
servers I care about and only sniffing the uplink?

This is all theoretical, BTW.  But I'm researching for future


On Wed, 2003-12-24 at 10:21, Erek Adams wrote:
> On Wed, 24 Dec 2003, Stewart Larsen wrote:
> > right, but where would you tap.
> >
> > Let's assume that I have the gateway and firewall set up going into a 16
> > port switch. We'll call this switch switch:0. Each port on switch:0 goes
> > to another 16 port switch.  We'll call these switch:1 through switch:16.
> >
> > I now have a nicely divided network with 16 segments of 16 computers
> > each. That allows me to have 256 computers on my network.
> >
> > How do I effectively monitor traffic within each segment without a
> > switch that supports SPAN?  Do I need to sniff on 256 different wires?
> > or am I missing some fundamental insight here?
> Perhaps....
> Do you care about network <-> network traffic?  If not, then just sniff
> your uplink.  Sniff the pipe from the FW to switch:0 and you catch all the
> traffic coming into your network, no matter how many segments you have.
> Cheers!
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."   H.S. Thompson
Stewart Larsen

More information about the Snort-users mailing list