[Snort-users] heavily switched network questions
giermo at ...8381...
Wed Dec 31 08:07:05 EST 2003
> The best solution is to replace the current switches with
> ones that have
> port mirroring.
> > Suppose I have a network consisting of a gateway which goes into a
> > firewall. The connection from the firewall goes into a switch which
> > leads to another level of switches. some of these machines
> are servers,
> > some are workstations. None of the switches have port
> mirroring (SPAN
> > ports).
Actually this is not the only solution. This is a very commonly asked
question, and I am sure that these answers can be found in the archive
someplace. To sum it up, here are your options:
Outside the firewall monitoring:
1) Put a hub between the firewall and the gateway.
Pros: Cheap, easy.
Cons: Adding a potential point on failure. Potential traffic
bottleneck, but we are dealing with internet speeds here, so if your
gateway is a T1, DSL, Cable, etc connection you will never see speeds
approaching those that would cause a problem.
2) Put a switch with a span port between the firewall and gateway:
Pros: More robust than #1
Cons: Point of failure. (but you can buy 2 and set up some sort
of redundancy). More expensive than #1.
Inside the Firewall:
1) Use a Tap on the Firewall to 1st switch connection
Pros: The right way to do it. Very robust. Does not interfere
with the traffic, so no added point of failure.
Cons: Can be quite expensive, although they are coming down in
price. You won't see server->server traffic.
2) Put a switch with a span port in place of the switch connected to
Pros: Fairly robust. Not as expensive as #1.
Cons: Wont see server-server traffic if one of the servers is
not on this switch. To see all server->server traffic, all switches
would need span ports with snort monitoring them.
3) Put a hub between the firewall and the first switch:
Pros: Cheap, easy.
Cons: Traffic bottleneck, but again, we are dealing with
internet traffic here, so it may not be a problem. No server->server
Well, that should sum it up.
More information about the Snort-users