Solutions Fast Track
Switching Basics
-
Switches forward traffic only to destination ports, thus preventing IDS from seeing any non-broadcast packets.
-
There are several ways of getting monitored traffic to an IDS sensor. Common ones include SPAN ports and network taps.
-
Cisco Catalyst 6000 switches with embedded IDS modules allow traffic to be captured directly from the switch backplane.
-
VLAN access-lists are used to select monitored traffic for IDSM.
Configuring SPAN
-
The SPAN (switch port analyzer) port is a port configured to receive a copy of traffic passing through other ports on the switch.
-
Low-end models of switches are limited in the number of SPAN sessions they support, and usually require that all monitored ports belong to the same VLAN.
-
With Catalysts 4000/6000, it is possible to have up to six sessions on one switch. These switches allow you to combine sources from several VLANs in one session.
-
Commands for configuring SPAN ports are different on IOS-based switches and CatOS (SET-based) switches.
Configuring RSPAN
-
Cisco Catalyst 6000 series switches provide a Remote SPAN functionality, which allows the collection of monitored traffic across a distributed switch infrastructure.
-
The configuration of RSPAN sessions on switches where traffic is collected (source switches) differs from that where traffic is fed into an IDS sensor (destination switches).
-
To configure a RSPAN session, create a special RSPAN VLAN, and set this VLAN as the SPAN destination on source switches, while using the same VLAN as a source for a SPAN session on a destination switch.
-
Switches on the route between source and destination switches do not have to be high-end switches. Only source and destination switches have to be Catalyst 6000.
Configuring VACLs
-
VACLs are used on Catalyst 6000 for controlling the redirection of traffic within VLANs.
-
VLAN access-lists are enforced in hardware and do not produce any overhead.
-
It is possible to use VACLs to capture traffic permitted by them.
-
Captured traffic then can be redirected to a specific port or IDSM.
-
VACLs are useful for determining "interesting" traffic to monitor when traffic volume is high.
Using Network Taps
-
Network taps are passive devices which split a monitored link into two data streams that are copied to a tap's output ports.
-
A tap does not disrupt the traffic flow of the link it is applied to, and in the case of power failure, it continues to pass traffic through itself.
-
When traffic from one splitting tap or several taps is to be monitored by one IDS sensor, an aggregation switch is needed to collect this traffic and output it to one link.
-
Bigger taps (or tap panels) have the reverse feature—they can split traffic from a high-speed link into several slower data streams, so that an array of IDS sensors can be attached to them.
Using Advanced Capture Methods
-
Several approaches can be taken in complex environments, with Catalyst 6000 providing the most flexible options for traffic capture.
-
SPAN-based configurations are easier to create in both external and internal IDS modules.
-
VACL-based capture is useful for the granular selection of traffic, mainly in internal IDSMs.
-
The Additional filtering of traffic can be done by clearing unwanted VLANs off the interswitch trunks or internal IDSM's monitoring ports.
Dealing with Encrypted Traffic and IPv6
-
Encrypted traffic, by design, cannot be understood by an IDS.
-
Tools that use traffic encryption include various VPNs, SSH connections, and SSL for HTTPS servers.
-
The usual workaround to let IDS understand this kind of traffic is to arrange for an IDS to see the traffic in its unencrypted form—for example, by capturing traffic behind a VPN gateway, or on a link between an SSL accelerator and the HTTP Web server