Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Setting Up an Intrusion Detection System: Page 3 of 8

Many switches and routers have a span port that provides a single port into the network fabric for accessing traffic at the full speed of the port. The primary advantages are cost and simplicity because the span port comes packaged with the switches and routers.

The downside is that the span port tends to be one of the lower-speed ports of the device, and can provide only as many bits as can flow through a single port. A switch with a gigabit uplink and multiple 100-Mbps ports will have a 100-Mbps span port, for instance. When traffic is heavy, streams may not be available to the IDS because the total flow exceeds the capacity of the single-span port bandwidth.

Taps, meanwhile, let an IDS "see" the traffic on a network link, but not become part of the link. In the case of the switch mentioned above, a tap could be inserted into the gigabit link to provide access to the entire data stream, but not affect the network bandwidth. Additionally, devices attached to taps don't require network addresses, and a security device without a network address is less likely to be specifically targeted by an attack.

The growing sophistication of exploits makes it imperative for both sides of a network transaction to be monitored. In some cases, this means putting a tap on a full-duplex port or making sure that the span port is full duplex. Or it may mean a pair of taps or ports (one for each traffic direction).

You also need an interface for administration and control. For security, this port shouldn't be connected to the rest of the production network. If you haven't established a separate administration network--a network with no unsecured access from the production network or remote hosts--do so now.