Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IPS and Trunking

from [Michaelson, Andrew J] Network Security [Permanent Link]
Subject: RE: IPS and Trunking
Date: Fri, 9 Feb 2007 09:42:26 -0500 
 
We're looking into Tippingpoint, and they stated that sometime in March
they will be releasing an update that will allow separate policies per
VLAN.  If connected to a trunk port, you'd be able apply a separate
policy for each VLAN passing through the device.

I think the original question relates to the Cisco IPS' ability to route
802.1Q traffic, so logically, the IPS is in-line as opposed to listening
on a mirror port.  Here's a link to more info on the subject:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configura
tion_example09186a0080671a8d.shtml

I would also be interested in hearing more on this topic.

Andy Michaelson, CISSP, SnortCP
Sr. Security Analyst
Pinellas County Government



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Eric Hines
Sent: Thursday, February 08, 2007 6:00 PM
To: Andrew Plato
Cc: trav_2@hotmail.com; focus-ids@securityfocus.com
Subject: Re: IPS and Trunking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trav_2:

You're talking about two separate things.

1) Cisco is a switch and you're talking about a mirror/span port.
Though, network taps > Span ports :)

2) Its not the IDS/IPS that is performing that capability, its the
switch. So its inaccurate to ask if the IDS/IPS vendors you mentioned
can do the same thing.  A span port doesn't care whats hooked up to it,
whether its Snort or a sniffer.

Hope this helps.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 221
Crystal Lake, IL 60014
Toll Free: (877) 262-7593
Fax: (847) 854-5106
Cell: (847) 456-6785
Web: www.appliedwatch.com



Andrew Plato wrote:

If you create a mirror port and plug in any IPS/IDS, it will see the 
traffic. TippingPoint, ISS, etc. All can do that.

Also, pretty much any decent managed switch can have mirror ports. 
This is not unique to Cisco.

Keep in mind, you cannot do real-time IPS (intrusion prevention) in 
any reliable manner this way. You have to be IN-LINE to do real-time 
blocking and filtering. Passive monitoring off a mirror port only 
allows you to send RSTs to stop stuff, and that is not a very reliable



way to block bad stuff.

___________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security



-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com]
On Behalf Of trav_2@hotmail.com
Sent: Monday, February 05, 2007 10:44 AM
To: focus-ids@securityfocus.com
Subject: IPS and Trunking

Cisco has a great feature where I can configure all traffic on a 
switch to go to a trunk port, plug in the IPS/IDS to the trunk port 
and see all traffic. Can other vendors, such as Sourcefire, 
TippingPoint, ISS do this?

Thanks,

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campa
ig
n=intro_sfw
to learn more.
----------------------------------------------------------------------
--



----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campa
ign=intro_sfw
to learn more.
----------------------------------------------------------------------
--


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFy6t31va6QYTV0EMRAuSkAJ4+1WTm+ugpOAK4Ghzv8ooYyFYi1gCfSC69
cXQfDMCJ7O14l+ZnE/lpTsY=
=ego2
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Distributed intrusion detection systems, Giovanni Davide Sacca'
Next by Date:  RE: IPS and Trunking, John Coke
Previous by Thread:  RE: IPS and Trunking, Andy Cuff
Next by Thread:  RE: IPS and Trunking, Chris Brown
Indexes:  [Date] [Thread] [Top] [All Lists]