[Snort-users] Switch TAP placement question.

Erek Adams erek at ...950...
Thu May 15 10:32:07 EDT 2003


On Thu, 15 May 2003, Brei, Matt wrote:

> I have a bank of about 12 24 port switches.  All of the routers and
> firewall are on the first switch, then the servers are on second and
> third, then all workstations and printers are on the rest.  Where should
> I place the tap so that Internet activity can be monitored as well as
> compromise attempts against a server or router?  Should this go on the
> router/firewall switch since it is the last switch before the "outside"
> or should I use more then one tap?

Well...  It depends on how things are setup.

If you are setup like (and I'll guess you are)

[Internet]->[Router]->[1st Switch]->[Other Stuff]

Then you can't put an IDS in front of the [Router].  The router will take
the telco circuit and convert it into ethernet.  Since your IDS uses
ethernet to connect with, it can't actually read the telco circuit.

If you are setup like:
                                  +>[Router 2]->[Switch 2]
[Internet]->[Router 1]->[Switch 1]->[Router 3]->[Switch 3]
                                  +>[Router 4]->[Switch 4]

Then you could tap at between [Router 1] and [Switch 1].  That would give
you all traffic that came thru your uplink router.

You might want to have a look at some of the IDS placement diagrams on
Snort.org [0].  It might give you a bit better idea of how you could do
things.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/docs/#deploy




More information about the Snort-users mailing list