[unisog] Network taps for IDS

James Robbins robbins.7 at osu.edu
Thu Nov 8 21:21:13 GMT 2001

I'm just about to purchase an Allied Telesyn AT-FH708SW for this very
purpose.  It is an 8 port 10/100 hub (each port auto sense) with a switch
between the 10 and 100 segments.

I haven't got it yet so I can't be sure that it performs as a hub but the
the rep assures me that it does.  We shall see.

At 12:01 PM 11/8/01, Greg Francis wrote:

>I'm setting up a permanent Snort IDS and I would like to tap into various
>parts of the network that lie between the routers and switches. Currently, I
>mirror the inbound switch port to dump the traffic to the IDS box. However,
>since we can only mirror a port to one other port, we'd have to disable the
>mirror periodically to do diagnostics and sometimes it doesn't get switched
>back. It also adds overhead to the switch that I would rather avoid.
>What I'm wondering is if there is a splitter or tap that you can put on a
>CAT5 connection (both 10 and 100 Mbps) that would alleviate the need for me
>to mirror one of the ports. I've thought about putting a hub in between the
>two switches but that doesn't sound very appealing as a long-term solution.
>It can't do anything to degrade performance, increase hop counts, etc.
>I want to do this at multiple points in the network. All of the equipment is
>CAT5 and in secure locations.
>Any solutions out there?
>Greg Francis
>Sr. System Administrator
>Gonzaga University
>francis at gonzaga.edu

James A. Robbins
Network Engineer
The Ohio State University
Chemistry Department

More information about the unisog mailing list