NetOptics sells a 2x1 Regeneration tap that allows two monitoring
devices:
http://www.netoptics.com/products/product_family_details.asp?cid=2&pid=1
05&Section=products&menuitem=2
-----Original Message-----
From: Tim Hanekamp [mailto:thanekamp@gmail.com]
Sent: Friday, October 01, 2004 9:22 PM
To: focus-ids@securityfocus.com
Subject: Network Tappers, IDS, etc.
Hi-
I have been put in charge of selecting and deploying two IDS systems
here at our corporate office. I need to have two options for trial
purposes. I decided to have both of these IDS's be based upon the Snort
technology since I am most familiar with it, and have already found two
products to fulfil this requirement. I plan on running each one for two
weeks up to a month to make my final report which I will deliver to
management so they can pick which one they would like to put their money
towards.
My next task is to select the hardware for this project. I was
wondering if I could get some advice for this. There are five things I
will need to purchase. The two servers that will be the snort "sensors"
and will sniff the packets and send to the central database (I plan on
installing one outside of the firewall and one inside), the server which
will host the central database, and two network taps which will
duplicate the traffic coming off of our wires to the sensors. I plan on
getting a pretty hefty server to use as the database server at the
reccomendation of both of the representatives for these two products.
However, when I questioned them about the requirements for the sensors
they seemed to think it didn't really matter, and that it would be able
to handle it either way. I couldn't get a direct answer.
I was wondering if someone with experience deploying Snort in a medium
traffic environment could offer some input as to what the optimal
specifications of a server should be that will just be sniffing out
traffic to send to a database as far a processor speed and amount of
memory. We currently have a DS3 coming into the office.
Also, I would like any information available on network taps. We do not
have any more SPAN ports available on our switch so this is not an
option and this needs to be done professionally (i.e. I cannot just
throw a hub on our network rack). Where should I start looking for
network taps and what price range should I be looking at? I would like
the tap to be capable of 100Mb lan connections; GigE is unnecessary.
Are there single taps that I could use for the purpose of mirroring
traffic from two separate lines to two separate servers? Or must I buy
two?
All responses are appreciated. Thanks.
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
