In-line...
> -----Original Message-----
> From: Andrew Plato [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 20, 2005 12:52 PM
> To: Jim Becher; [email protected]
> Subject: RE: [ISSForum] Proventia G in Passive Mode
>
>
> Well, it depends on how you place them into your network.
>
> The Gs are designed to work IN-LINE. That is you take a link, cut it in
> half, and then place the G inline. Thus, the two interfaces on the back
> of the appliance provide either side of the link. In this configuration,
> the Gs work fine as a passive monitor. They will quietly pass packets
> and detect stuff.
>
> However, the original poster alluded to not using them in-line, but as a
> passive tap. In other words, using the two ports each to monitor two
> different segments. Although ISS does not support this configuration
> with the Gs, this will work. You can plug two different segments (a
> mirrored port off a switch) into the two interfaces on a G200 and it
> will monitor each segment. The unit obviously will not be in-line and it
> won't be able to block anything.
Did the OP say "passive tap"? Or did they just ask about "passive
mode"?
If you are passive then the intent was not to block anything anyway,
correct?
> But, this is a messy arrangement with the Gs. Gs are designed to pass
> packets from one interface to the next. And some of the signatures
> depend on watching traffic in a bi-directional manner. So some
> signatures will not work correctly. Also, you'll get some funky false
I read the reference to "passive mode" in original post to mean that the
person is capturing traffic via a spanning session or monitor port -- where
they would be seeing bi-directional traffic. Would you still consider this
kludgy/messy?
> positives. Data analysis in SiteProtector gets to be a challenge as
> well. You'll get a lot of events from that sensor. There is no easy way
> to separate which event came off which interface. You have to dig inside
> the events and look at the interface. This makes correlation and
> analysis difficult if not impossible.
Is this not true on an A604 as well? You have too look inside the
event at
the "Adapter" field, yes?
> The key to this issue is the in-line placement. The Gs are meant to be
> in-line. And in that configuration, you can put them into passive
> monitoring mode where they just detect stuff, they don't block anything.
Again, the original poster referred to using the device in a "passive
mode" -- which I take to mean they don't want to block anything.
> The A-series was never designed to be in-line. It's a passive monitor.
> And therefore, if you want to just monitor, and never have any blocking
> capability, you're better off just buying an A604 than trying to put
> weird interface cards into a G200.
I agree with your original suggestion of approaching ISS about a trade
to
an A604.
> _____________________________________
> Andrew Plato, CISSP
> President/Principal Consultant
> ANITIAN ENTERPRISE SECURITY
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> _____________________________________
>
> GPG public key available at: http://www.anitian.com/corp/keys.htm
>
>
>
>
>
>
>
> -----Original Message-----
> From: Jim Becher [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 19, 2005 10:01 PM
> To: Andrew Plato
> Subject: RE: [ISSForum] Proventia G in Passive Mode
>
> Andrew,
>
> Can you elaborate on how using Gs for passive monitoring is
> kludgy? And how event correlation is confusing. I am currently
> planning on using a G model for passive monitoring, and I would
> appreciate information on any issues/downsides. I currently have
> several A604s deployed, and I am fairly happy with them. But we are
> looking at buying some G models, with the thought that at some point
> down the road, we might move them in-line.
>
> Thanks!
>
>
>
> -jim
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of Andrew Plato
> Sent: Thursday, August 18, 2005 10:25 AM
> To: Castaldo, Benny J; [email protected]
> Subject: Re: [ISSForum] Proventia G in Passive Mode
>
>
> How about getting a A604. It costs about the same as a G200 and you can
> monitor 4 segments.
>
> Proventia Gs can be used for passive monitoring, I've done it before.
> But its kludgy. Event correlation is confusing. And if you drop some
> other card in there - it will void your warranty and support.
>
> I'd go talk to your ISS rep and see about trading in your 200 for a 604.
> You'll be a lot happier.
>
> _____________________________________
> Andrew Plato, CISSP
> President/Principal Consultant
> ANITIAN ENTERPRISE SECURITY
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> _____________________________________
>
> GPG public key available at: http://www.anitian.com/corp/keys.htm
>
>
>
>
> -----Original Message-----
> From: Castaldo, Benny J [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 16, 2005 6:59 AM
> To: '[email protected]'
> Subject: [ISSForum] Proventia G in Passive Mode
>
> I have a Proventia G 200 right now and I'm going to be using it in
> passive mode. I'm looking to monitor 3 different network segments.
> Since the Proventia Gs are inline devices they obliviously have two
> ports on the monitoring NIC. Has anybody replaced it with a 3 port NIC?
> Any special configurations or modifications need to be made to the
> appliance to get it to work? Thanks
_______________________________________________
ISSForum mailing list
[email protected]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
