Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Security Discussion » Network tap suggestions

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Network tap suggestions


Posted by sjf1978 on October 17, 2006 01:24:41

would'nt the best thing for an enterprise solution be using a switch with port mirroring? I'm going to be using a hub with a ethernet recieve only cable should be fun making one up!

Posted by duh on October 25, 2006 07:04:47

Port spanning/mirroring is best.

Posted by rwarner on December 28, 2006 11:13:24

I'm looking into network taps for an Enterprise IDS deployment, and would appreciate any suggstions/warnings any of you might have.

Thanks in advance.

Posted by digus on March 02, 2007 11:09:34

Port spanning/mirroring is NOT best. Spanning/mirroring slows down switches and in turn slows down your network. Spanning/mirroring does not allow you to see lower level network errors (duplicate IPs/MACs, CRCs, etc...). Spanning/mirroring generally limits you to 50Mb/sec full-duplex.

Posted by RogerChien on March 14, 2007 03:35:48

Hi rwarner,

In fact there are many "IDS taps" products in the market.
I don't have experience in using it but some of them can achieve
gigabit throughput without any problem. For example,

http://www.netoptics.com/
http://www.datacomsystems.com/products/network-taps.asp
http://www.criticaltap.com/catalogue.asp
and etc...



Posted by digus on March 14, 2007 04:46:59

I actually now work for a company that sells network TAPs (generally with custom monitoring solutions - but not always), so I know quite a bit about TAPs if anyone has any questions. I can confirm that some TAPs will even support 10Gigabit throughput without any problem. The fun part is finding a monitoring solution to reliably handle these speeds;)

I don't want to blatantly advertise on these forums without permission (so I won't) - but if anyone is interested, I could probably talk my boss into a special "promotional" discount for snort.org users...
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.