IDS and Network Taps
#3
I'm deploying them with ISS RealSecure - have you used that? It basically has a function called RSKILL which sends TCP Resets to kill suspecious connections - can I have such a setup which would allow me to inject packets back into the network, given that they are passively monitored from taps?
Also, did you run these taps off a SPAN port for each network segment?
DO you have any (sanitised) docs or links that may may give more details?
Many thanks!
Also, did you run these taps off a SPAN port for each network segment?
DO you have any (sanitised) docs or links that may may give more details?
Many thanks!
#4
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
I am looking at implementing Intrusion detection software on our network, is iss one of the best?
Is this the sort of thing to prevent internal attacks as well??
David
Is this the sort of thing to prevent internal attacks as well??
David
#5
David,
ISS is very good - can't say if its the best - there are plenty of IDS comparisons on the net.
Security is a process entailing prevention, detection and response - so the operations/monitoring of IDS software is paramount to it's effectiveness - and this tends to be product-independant.
If you would like to know any specifics about ISS - pro's and con's, just ask here.
ISS is very good - can't say if its the best - there are plenty of IDS comparisons on the net.
Security is a process entailing prevention, detection and response - so the operations/monitoring of IDS software is paramount to it's effectiveness - and this tends to be product-independant.
If you would like to know any specifics about ISS - pro's and con's, just ask here.
#6
Jeff,
Sorry for the confusion before re. Network taps. I didn't explain it well.
Basically, the taps will run off the main segments and the mirrored ports (from the taps) will go directly into a cisco switch. This switch will have a SPAN port which will be connected to a network sensor. The problem is getting the network sensor to send RSKILLs back on to the LAN segments.
How could I do this given the that RSKILLs are infact layer 3 packets disguised as layer 2's.
Cheers!
Sorry for the confusion before re. Network taps. I didn't explain it well.
Basically, the taps will run off the main segments and the mirrored ports (from the taps) will go directly into a cisco switch. This switch will have a SPAN port which will be connected to a network sensor. The problem is getting the network sensor to send RSKILLs back on to the LAN segments.
How could I do this given the that RSKILLs are infact layer 3 packets disguised as layer 2's.
Cheers!
Trending Topics
#8
Scooby Regular
Firstly RSKILL is a dangerous function because you actually give away the fact that your using RealSecure, it can also turn into the worlds greatest denial of service attack if configured incorrectly. When I set-up a RealSecure system I always set it to drop the connection rather than kill it.
The tap issue is interesting. You either use a span port or a tap, you don't need to do both. If you want maximum performance you need to use a TopCall switch which is supported by ISS.
There are a bunch of documents on the ISS site which detail what you want to do. If you need any more help e-mail me.
Cheers
Jeff
[Edited by Jeff Wiltshire - 3/8/2002 11:41:38 AM]
The tap issue is interesting. You either use a span port or a tap, you don't need to do both. If you want maximum performance you need to use a TopCall switch which is supported by ISS.
There are a bunch of documents on the ISS site which detail what you want to do. If you need any more help e-mail me.
Cheers
Jeff
[Edited by Jeff Wiltshire - 3/8/2002 11:41:38 AM]
Thread
Thread Starter
Forum
Replies
Last Post
johnfelstead
ScoobyNet General
27
26 February 2001 05:48 PM
IWatkins
ScoobyNet General
1
24 October 2000 10:46 AM