[644] in Intrusion Detection Systems
No subject found in mail header
daemon@ATHENA.MIT.EDU (Doug Hughes)
Thu Feb 29 09:34:31 1996
Date: Wed, 28 Feb 1996 18:28:36 +1100 (EST)
From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
Apparently-To: <dougie@MIT.EDU>
Apparently-To: <ids-redist@MIT.EDU>
Apparently-To: <beej@MIT.EDU>
803; Mon, 26 Feb 1996 09:25:53 -0600
Date: Mon, 26 Feb 1996 09:25:53 -0600
Subject: A further note on sniffers
To: ids@uow.edu.au
Message-Id: <doug-9601261525.AA01015841@netman.eng.auburn.edu>
In-Reply-To: <9602231933.AA00243@gibson>
Sender: owner-ids
Precedence: bulk
Reply-To: ids
I just thought I would add that it is better if you design your network
from the offset to discourage sniffers than to try to detect them
afterwards. There are several ways to do this. The cheapest ones are
getting security enabled hubs that show packets ONLY to the machine/MAC
address registered to a particular port, or having a switched hub.
This way, your lessen your potential losses. Only packets to that particular
machine will be caught, making promiscuous mode less valuable.
The cheaper of the two is the security enabled hub. HP and Cabletron
both do this for sure. Check with your sales rep for options. We use our
HP's in this capacity and it works well. One thing to check though is that
you only have one machine per port. Chaining another hub off a security enabled
port causes a HUGE performance hit on the hub.
--
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug@eng.auburn.edu
Pro is to Con as progress is to congress
