Well, it depends on how you place them into your network. The Gs are designed to work IN-LINE. That is you take a link, cut it in half, and then place the G inline. Thus, the two interfaces on the back of the appliance provide either side of the link. In this configuration, the Gs work fine as a passive monitor. They will quietly pass packets and detect stuff.
However, the original poster alluded to not using them in-line, but as a passive tap. In other words, using the two ports each to monitor two different segments. Although ISS does not support this configuration with the Gs, this will work. You can plug two different segments (a mirrored port off a switch) into the two interfaces on a G200 and it will monitor each segment. The unit obviously will not be in-line and it won't be able to block anything. But, this is a messy arrangement with the Gs. Gs are designed to pass packets from one interface to the next. And some of the signatures depend on watching traffic in a bi-directional manner. So some signatures will not work correctly. Also, you'll get some funky false positives. Data analysis in SiteProtector gets to be a challenge as well. You'll get a lot of events from that sensor. There is no easy way to separate which event came off which interface. You have to dig inside the events and look at the interface. This makes correlation and analysis difficult if not impossible. The key to this issue is the in-line placement. The Gs are meant to be in-line. And in that configuration, you can put them into passive monitoring mode where they just detect stuff, they don't block anything. The A-series was never designed to be in-line. It's a passive monitor. And therefore, if you want to just monitor, and never have any blocking capability, you're better off just buying an A604 than trying to put weird interface cards into a G200. _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: Jim Becher [mailto:[EMAIL PROTECTED] Sent: Friday, August 19, 2005 10:01 PM To: Andrew Plato Subject: RE: [ISSForum] Proventia G in Passive Mode Andrew, Can you elaborate on how using Gs for passive monitoring is kludgy? And how event correlation is confusing. I am currently planning on using a G model for passive monitoring, and I would appreciate information on any issues/downsides. I currently have several A604s deployed, and I am fairly happy with them. But we are looking at buying some G models, with the thought that at some point down the road, we might move them in-line. Thanks! -jim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Plato Sent: Thursday, August 18, 2005 10:25 AM To: Castaldo, Benny J; [email protected] Subject: Re: [ISSForum] Proventia G in Passive Mode How about getting a A604. It costs about the same as a G200 and you can monitor 4 segments. Proventia Gs can be used for passive monitoring, I've done it before. But its kludgy. Event correlation is confusing. And if you drop some other card in there - it will void your warranty and support. I'd go talk to your ISS rep and see about trading in your 200 for a 604. You'll be a lot happier. _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: Castaldo, Benny J [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 6:59 AM To: '[email protected]' Subject: [ISSForum] Proventia G in Passive Mode I have a Proventia G 200 right now and I'm going to be using it in passive mode. I'm looking to monitor 3 different network segments. Since the Proventia Gs are inline devices they obliviously have two ports on the monitoring NIC. Has anybody replaced it with a 3 port NIC? Any special configurations or modifications need to be made to the appliance to get it to work? Thanks _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
