Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IPS and Trunking

from [John Coke] Network Security [Permanent Link]
Subject: RE: IPS and Trunking
Date: Fri, 9 Feb 2007 11:28:15 -0600 
Cisco does offer an "IPS on a stick" feature and is what the OP is
talking about.  Its called Inline VLAN Pairs and is documented here
(line wraps):
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/clig
uide/cliinter.htm#wp1047718

Basically:
1) You create another vlan on the switch (for a total of 2).
2) You convert one of the ports to a trunk port and plug the IPS
monitoring port into it.
3) You then take all the access ports and assign them to one VLAN and
the port connected to the gateway to the other vlan.
4) You create a vlan pair in the IPS software to bind the 2 vlans
together.

-John

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Andrew Plato
Sent: Thursday, February 08, 2007 11:38 AM
To: trav_2@hotmail.com; focus-ids@securityfocus.com
Subject: RE: IPS and Trunking

If you create a mirror port and plug in any IPS/IDS, it will see the
traffic. TippingPoint, ISS, etc. All can do that. 

Also, pretty much any decent managed switch can have mirror ports. This
is not unique to Cisco. 

Keep in mind, you cannot do real-time IPS (intrusion prevention) in any
reliable manner this way. You have to be IN-LINE to do real-time
blocking and filtering. Passive monitoring off a mirror port only allows
you to send RSTs to stop stuff, and that is not a very reliable way to
block bad stuff. 

___________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of trav_2@hotmail.com
Sent: Monday, February 05, 2007 10:44 AM
To: focus-ids@securityfocus.com
Subject: IPS and Trunking

Cisco has a great feature where I can configure all traffic on a switch
to go to a trunk port, plug in the IPS/IDS to the trunk port and see all
traffic. Can other vendors, such as Sourcefire, TippingPoint, ISS do
this?

Thanks,

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IPS and Trunking, Michaelson, Andrew J
Next by Date:  RE: Distributed intrusion detection systems, Andy Cuff
Previous by Thread:  Re: IPS and Trunking, Gary Halleen
Next by Thread:  Re: IPS and Trunking, Paul daSilva
Indexes:  [Date] [Thread] [Top] [All Lists]