Re: [Snort-users] using a tap
This is a discussion on Re: [Snort-users] using a tap within the Snort forums, part of the System Security and Security Related category; On Fri, 2004-06-11 at 13:41, Altrock, Jens wrote: > hi there, > we're thinking about buying ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-11-2004
|
|||
|
|||
Re: [Snort-users] using a tap
On Fri, 2004-06-11 at 13:41, Altrock, Jens wrote:
> hi there, > we're thinking about buying a tap too, but there are some questions that I > need to be answered before: > > 1. Taps use to channels to get the traffic to the monitoring device (one for > RX and one for TX). How do I "bond" these channels > together, if I do need to do that? Please state your operating system. With Linux you do 'ifenslave', and if you use a RedHat based distribution http://www.linuxgazette.com/node/view/8937 might be of help. > 2. It is a security violation when using a Sensor connected to the Tap and > (!) to the internal net (with IP), but it is needed anyway for updating > rules and > other issues. Is it anyway reliable? The tap is a read only connection, and you need a way to: a) View the alerts b) Update the signatures which usually mean one more cable to a special analyst LAN (or your local LAN, depending how much money you have to spend..). You can have an semi air-gapped NIDS sensor, where the only connection is the TAP. If you are in that situation You have to use the plain ol' sneaker net to transfer signature updates (hint: a USB thumb drive stores bigger files and are more reliable then the old 3.5" floppies). For system updates: well, they do 1 GB thumb drives now days.. Also, in those circumstances you (should) have a different PC just beside it to do the lookups and signature research. Won't be as effective, but it is doable.. So far I have only seen military installations of this kind, but what-ever floats your boat... And when it comes to reliability of the setup: as long as you don't transfer data from the sensor to the internal network you don't expose the LAN to any additional dangers.. Best regards Michael Boman -- Michael Boman <michael.boman@boseco.com> BOSECO Internet Security Solutions - http://www.boseco.com ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
