[Snort-users] heavily switched networks

twig les twigles at ...131...
Wed Dec 24 08:29:01 EST 2003

--- Stewart Larsen <slarsen42 at ...1457...> wrote:
> Well, you tell me.  As a network admin in charge of security,
> should I
> be worried about intra-network traffic? 
> Would I be better off running a host-based IDS like tripwire
> on the
> servers I care about and only sniffing the uplink?
> This is all theoretical, BTW.  But I'm researching for future
> opportunities.

Well yeah, I would definitely worry about intra-network traffic.
 And in this case I believe it would be much simpler to buy
fewer switches with a port mirroring capability than to tap all
those lines or run host-based snort.

Going with your idea of tripwire and sniffing the uplink is an
option if you are less paranoid or can segregate machines at layer-2.

Only fools have all the answers.   

Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

More information about the Snort-users mailing list