Hi, On Fri, Mar 25, 2005 at 02:07:49AM +0100, Per Engelbrecht wrote: > So fare I've done all my "tapping" on the backbone's SPAN port. > I do have SPAN ports on all the customer switches as well, but don't use > them right now - I'm building an NDIS master with sensors (hardware > clients) going into these ports .. all the way down. It's not production > ready yet, though.
Another approach (which is strongly recommended) would be to apply full layer 3 separation. Each customer gets a *routed* layer 3 VLAN, and all IPs in there belong to him. So even if the trojan "spoofs" addresses, it's still easy to backtrack, because all the /29 or /28 or whatever subnet is the same customer anyway - and with proper anti-spoofing filtering, no other source IPs can get out of the VLAN. But that's getting off-topic on tcpdump-workers. A better list for that might be cisco-nsp (see http://puck.nether.net/ for a number of very interesting networker lists). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
