Well, it depends on how you place them into your network.
The Gs are designed to work IN-LINE. That is you take a link, cut it in
half, and then place the G inline. Thus, the two interfaces on the back
of the appliance provide either side of the link. In this configuration,
the Gs work fine as a passive monitor. They will quietly pass packets
and detect stuff.
However, the original poster alluded to not using them in-line, but as a
passive tap. In other words, using the two ports each to monitor two
different segments. Although ISS does not support this configuration
with the Gs, this will work. You can plug two different segments (a
mirrored port off a switch) into the two interfaces on a G200 and it
will monitor each segment. The unit obviously will not be in-line and it
won't be able to block anything.
But, this is a messy arrangement with the Gs. Gs are designed to pass
packets from one interface to the next. And some of the signatures
depend on watching traffic in a bi-directional manner. So some
signatures will not work correctly. Also, you'll get some funky false
positives. Data analysis in SiteProtector gets to be a challenge as
well. You'll get a lot of events from that sensor. There is no easy way
to separate which event came off which interface. You have to dig inside
the events and look at the interface. This makes correlation and
analysis difficult if not impossible.
The key to this issue is the in-line placement. The Gs are meant to be
in-line. And in that configuration, you can put them into passive
monitoring mode where they just detect stuff, they don't block anything.
The A-series was never designed to be in-line. It's a passive monitor.
And therefore, if you want to just monitor, and never have any blocking
capability, you're better off just buying an A604 than trying to put
weird interface cards into a G200.
_____________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY
3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________
GPG public key available at: http://www.anitian.com/corp/keys.htm
-----Original Message-----
From: Jim Becher [mailto:jim@becher.net]
Sent: Friday, August 19, 2005 10:01 PM
To: Andrew Plato
Subject: RE: [ISSForum] Proventia G in Passive Mode
Andrew,
Can you elaborate on how using Gs for passive monitoring is
kludgy? And how event correlation is confusing. I am currently
planning on using a G model for passive monitoring, and I would
appreciate information on any issues/downsides. I currently have
several A604s deployed, and I am fairly happy with them. But we are
looking at buying some G models, with the thought that at some point
down the road, we might move them in-line.
Thanks!
-jim
-----Original Message-----
From: issforum-bounces@iss.net [mailto:issforum-bounces@iss.net]On
Behalf Of Andrew Plato
Sent: Thursday, August 18, 2005 10:25 AM
To: Castaldo, Benny J; issforum@iss.net
Subject: Re: [ISSForum] Proventia G in Passive Mode
How about getting a A604. It costs about the same as a G200 and you can
monitor 4 segments.
Proventia Gs can be used for passive monitoring, I've done it before.
But its kludgy. Event correlation is confusing. And if you drop some
other card in there - it will void your warranty and support.
I'd go talk to your ISS rep and see about trading in your 200 for a 604.
You'll be a lot happier.
_____________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY
3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________
GPG public key available at: http://www.anitian.com/corp/keys.htm
-----Original Message-----
From: Castaldo, Benny J [mailto:CastaldoBJ@state.gov]
Sent: Tuesday, August 16, 2005 6:59 AM
To: 'issforum@iss.net'
Subject: [ISSForum] Proventia G in Passive Mode
I have a Proventia G 200 right now and I'm going to be using it in
passive mode. I'm looking to monitor 3 different network segments.
Since the Proventia Gs are inline devices they obliviously have two
ports on the monitoring NIC. Has anybody replaced it with a 3 port NIC?
Any special configurations or modifications need to be made to the
appliance to get it to work? Thanks
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
