[unisog] Network taps for IDS

Ed Gibson egibson at uwo.ca
Fri Nov 9 20:15:18 GMT 2001


We have used the Netoptic taps which esentially provide an inline tap that
provides a 100 Meg FDX connection as two separate 100 Meg streams (one for each
direction)

Since we utilized "mothballed" Alpha equipment as our hardware we were able to
facilitate additional loadsharing by connecting each of these tap outputs to an
individual Alpha. One box monitors outbound traffic while the other monitors
inbound. We could of course have installed multiple nics into one box but since
the hardware was available opted for the two nostril SNORT solution.

Ed Gibson
University of Western Ontario

Greg Francis wrote:

> I'm setting up a permanent Snort IDS and I would like to tap into various
> parts of the network that lie between the routers and switches. Currently, I
> mirror the inbound switch port to dump the traffic to the IDS box. However,
> since we can only mirror a port to one other port, we'd have to disable the
> mirror periodically to do diagnostics and sometimes it doesn't get switched
> back. It also adds overhead to the switch that I would rather avoid.
>
> What I'm wondering is if there is a splitter or tap that you can put on a
> CAT5 connection (both 10 and 100 Mbps) that would alleviate the need for me
> to mirror one of the ports. I've thought about putting a hub in between the
> two switches but that doesn't sound very appealing as a long-term solution.
>
> It can't do anything to degrade performance, increase hop counts, etc.
>
> I want to do this at multiple points in the network. All of the equipment is
> CAT5 and in secure locations.
>
> Any solutions out there?
>
> Thanks,
> Greg
>
> --
> Greg Francis
> Sr. System Administrator
> Gonzaga University
> francis at gonzaga.edu
> 509-323-6896



More information about the unisog mailing list