Announcement

Collapse
No announcement yet.

IDS Implementation

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IDS Implementation

    I would like to setup a snort box in my environment...what would be the best way to go about this?

    I have read about using a SPAN port on a cisco switch, to have all traffic come through that 1 port that the IDS will monitor...which doesn't sound that great to me, or there is a network TAP which I believe is a separate piece of hardware you would have to buy.

    Does anyone have some good examples that have worked well?

  • #2
    Re: IDS Implementation

    Hi ekrengel
    The way of configuring is:
    1. Configure SPAN port mapped on another port connected to server\suspicious machine to check.
    2. All traffic is captured by SNORT scanner and analysed (another Linux\Windows Based station with SNORT installed).
    3. Frequent checks of status and mail\SMS notification on SNORT to real-time monitor issues.
    I think it's not the best way to forward all traffic throw SPAN port, especially in hard-working networks. The best way - to protect valuable information, but if You need complete defense no matter costs - its also possible.
    For me it works with IIS WEB-server and mirrored port for all incoming traffic from external users.
    Regards
    Denis Laskov
    MCSA/E - CWNA - CCNA

    Comment


    • #3
      Re: IDS Implementation

      Maybe this will be helpful:
      http://www.cisco.com/warp/public/473/41.html
      Regards
      Denis Laskov
      MCSA/E - CWNA - CCNA

      Comment


      • #4
        Re: IDS Implementation

        ekrengel,

        SPAN is great if you are on a budget however it has weakness that you should be aware. One of the biggest is that it doesn't scale well. The following link goes into detail on these weakness. Personally I use NetOptic TAPs.

        http://www.lovemytool.com/blog/2007/...orts-or-t.html

        Ryan

        Comment

        Working...
        X