Network taps for IDS

Greg Francis francis at gonzaga.edu
Thu Nov 8 17:01:19 GMT 2001


I'm setting up a permanent Snort IDS and I would like to tap into various
parts of the network that lie between the routers and switches. Currently, I
mirror the inbound switch port to dump the traffic to the IDS box. However,
since we can only mirror a port to one other port, we'd have to disable the
mirror periodically to do diagnostics and sometimes it doesn't get switched
back. It also adds overhead to the switch that I would rather avoid.

What I'm wondering is if there is a splitter or tap that you can put on a
CAT5 connection (both 10 and 100 Mbps) that would alleviate the need for me
to mirror one of the ports. I've thought about putting a hub in between the
two switches but that doesn't sound very appealing as a long-term solution.

It can't do anything to degrade performance, increase hop counts, etc.

I want to do this at multiple points in the network. All of the equipment is
CAT5 and in secure locations.

Any solutions out there?

Thanks,
Greg

-- 
Greg Francis
Sr. System Administrator
Gonzaga University
francis at gonzaga.edu
509-323-6896



More information about the unisog mailing list