200GB a day
Jonathan Tripathy
jonnyt at abpni.co.uk
Fri Aug 5 07:37:28 EDT 2011
On 05/08/2011 03:40, Peter Van Epp wrote:
> On Thu, Aug 04, 2011 at 05:08:57AM +0100, Jonathan Tripathy wrote:
>> On 04/08/2011 03:15, Peter Van Epp wrote:
>>
>>> Personally I prefer to run the argus sensor on its own box behind a
>>> network tap so argus can not affect the production network
>> In my ideal scenario, I would also run argus on a separate machine,
>> however I'm not sure I trust our network switch not to loose
>> performance when configured with a mirror port. It would probably be
>> fine for now (about 12Mb/s each way, so about 24Mb/s coming through
>> the mirror port), however this isn't really a scalable solution
>> unless I'm missing something?
> I don't trust mirror ports either :-) although at this traffic level
> you should be fine. What I used to use is Netoptics passive taps which come
> in a variety of flavors (fibre, copper and regen which is a multiport repeater
> and my usual choice). They go inline with your switch (so no mirror port and
> no load on your switch which I agree is a bad thing) and have two monitor
> ports (one for TX and one for RX) that then needs two NICs on the argus host.
> Because the tap is passive nothing that happens on the monitor ports (which
> don't have any path to the monitored network) can affect the production
> network. With regen taps you can get between 2 and 16 copies of the same
> data to run multiple monitors on i.e. argus, snort and a sniffer all seeing
> the same traffic on a 4 port regen tap. Do remember that if you are mirroring
> a full duplex connection you can in fact only have %50 utilization on the
> monitored line (unlike a tap) as both tx and receive traffic are merged to the
> single transmit port out the mirror. If you get more than %50 traffic you can
> hang the switch (been there, done that :-)) which is embarrassing.
>
> Peter Van Epp
Hi Peter,
I looked into the NetOptics hardware, however I can't find pricing
anywhere online!!
Do you have a rough idea how much their standard copper kit is? I'm
considering this one:
http://www.netoptics.com/products/network-taps/101001000baset-tap
Thanks
More information about the argus
mailing list