[Snort-users] heavily switched network questions

SRH-Lists giermo at ...8381...
Wed Dec 31 08:07:05 EST 2003

> The best solution is to replace the current switches with 
> ones that have
> port mirroring.
> > Suppose I have a network consisting of a gateway which goes into a
> > firewall.  The connection from the firewall goes into a switch which
> > leads to another level of switches. some of these machines 
> are servers,
> > some are workstations. None of the switches have port 
> mirroring (SPAN
> > ports).

Actually this is not the only solution.  This is a very commonly asked
question, and I am sure that these answers can be found in the archive
someplace.  To sum it up, here are your options:

Outside the firewall monitoring:

1)  Put a hub between the firewall and the gateway.

	Pros:  Cheap, easy.
	Cons:  Adding a potential point on failure.  Potential traffic
bottleneck, but we are dealing with internet speeds here, so if your
gateway is a T1, DSL, Cable, etc connection you will never see speeds
approaching those that would cause a problem.

2)  Put a switch with a span port between the firewall and gateway:

	Pros:  More robust than #1
	Cons:  Point of failure. (but you can buy 2 and set up some sort
of redundancy).  More expensive than #1.

Inside the Firewall:

1)  Use a Tap on the Firewall to 1st switch connection

	Pros:  The right way to do it.  Very robust.  Does not interfere
with the traffic, so no added point of failure.
	Cons:  Can be quite expensive, although they are coming down in
price.  You won't see server->server traffic.

2)  Put a switch with a span port in place of the switch connected to
the firewall.
	Pros:  Fairly robust.  Not as expensive as #1.
	Cons:  Wont see server-server traffic if one of the servers is
not on this switch.  To see all server->server traffic, all switches
would need span ports with snort monitoring them.

3)  Put a hub between the firewall and the first switch:

	Pros:  Cheap, easy.
	Cons:  Traffic bottleneck, but again, we are dealing with
internet traffic here, so it may not be a problem.  No server->server

Well, that should sum it up.


More information about the Snort-users mailing list