Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Network Tappers, IDS, etc.

from [Tim Hanekamp] Network Security [Permanent Link]
Subject: Network Tappers, IDS, etc.
Date: Fri, 1 Oct 2004 20:21:39 -0500 
Hi-
I have been put in charge of selecting and deploying two IDS systems
here at our corporate office.  I need to have two options for trial
purposes.  I decided to have both of these IDS's be based upon the
Snort technology since I am most familiar with it, and have already
found two products to fulfil this requirement.  I plan on running each
one for two weeks up to a month to make my final report which I will
deliver to management so they can pick which one they would like to
put their money towards.

My next task is to select the hardware for this project.  I was
wondering if I could get some advice for this.  There are five things
I will need to purchase.  The two servers that will be the snort
"sensors" and will sniff the packets and send to the central database
(I plan on installing one outside of the firewall and one inside), the
server which will host the central database, and two network taps
which will duplicate the traffic coming off of our wires to the
sensors.  I plan on getting a pretty hefty server to use as the
database server at the reccomendation of both of the representatives
for these two products.  However, when I questioned them about the
requirements for the sensors they seemed to think it didn't really
matter, and that it would be able to handle it either way.  I couldn't
get a direct answer.

I was wondering if someone with experience deploying Snort in a medium
traffic environment could offer some input as to what the optimal
specifications of a server should be that will just be sniffing out
traffic to send to a database as far a processor speed and amount of
memory.  We currently have a DS3 coming into the office.

Also, I would like any information available on network taps.  We do
not have any more SPAN ports available on our switch so this is not an
option and this needs to be done professionally (i.e. I cannot just
throw a hub on our network rack).  Where should I start looking for
network taps and what price range should I be looking at?  I would
like the tap to be capable of 100Mb lan connections; GigE is
unnecessary.  Are there single taps that I could use for the purpose
of mirroring traffic from two separate lines to two separate servers?
Or must I buy two?

All responses are appreciated.  Thanks.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] Re: On Polymorphic Evasion, Vlad902
Next by Date:  Re: Snort, Alex Butcher, ISC/ISYS
Previous by Thread:  [Full-Disclosure] On Polymorphic Evasion, Phantasmal Phantasmagoria
Next by Thread:  RE: Network Tappers, Andy Cuff
Indexes:  [Date] [Thread] [Top] [All Lists]