> Our network guys
> says because we
> are using high end backbone and core switches we cannot give
> you a spam port
> or place a hub. My question is how do other large companies
> implement IDS in
> a switched environment.
Most likely they are saying that because they are already using the span port for a Sniffer. You have three choices:
1) Ask them to send the span port to a hub that both the sniffer and the IDS can watch.
2) Use a network tap (Shitomi or NetOptics I think are two possible ones here) to tap the network connection.
3) Install the IDS directly in the FW (i.e., use Nokia with ISS RealSecure) so you don't need to put one near the firewall.
I will be doing (1) and (3) when my Nokias are delivered.
Steve
--
Steve Lodin - CISSP
Manager - IT Security
Roche Diagnostics Corp
<[EMAIL PROTECTED]>
317-845-2070
