200GB a day

[Peter Van Epp]

On Thu, Aug 04, 2011 at 05:08:57AM +0100, Jonathan Tripathy wrote:
> 
> On 04/08/2011 03:15, Peter Van Epp wrote:
> 
> >
> >	Personally I prefer to run the argus sensor on its own box behind a
> >network tap so argus can not affect the production network
> 
> In my ideal scenario, I would also run argus on a separate machine,
> however I'm not sure I trust our network switch not to loose
> performance when configured with a mirror port. It would probably be
> fine for now (about 12Mb/s each way, so about 24Mb/s coming through
> the mirror port), however this isn't really a scalable solution
> unless I'm missing something?

	I don't trust mirror ports either :-) although at this traffic level
you should be fine. What I used to use is Netoptics passive taps which come
in a variety of flavors (fibre, copper and regen which is a multiport repeater
and my usual choice). They go inline with your switch (so no mirror port and
no load on your switch which I agree is a bad thing) and have two monitor 
ports (one for TX and one for RX) that then needs two NICs on the argus host.
Because the tap is passive nothing that happens on the monitor ports (which 
don't have any path to the monitored network) can affect the production 
network. With regen taps you can get between 2 and 16 copies of the same 
data to run multiple monitors on i.e. argus, snort and  a sniffer all seeing
the same traffic on a 4 port regen tap. Do remember that if you are mirroring
a full duplex connection you can in fact only have %50 utilization on the 
monitored line (unlike a tap) as both tx and receive traffic are merged to the
single transmit port out the mirror. If you get more than %50 traffic you can
hang the switch (been there, done that :-)) which is embarrassing.

Peter Van Epp