Switching Basics
During the aftermost bristles or so years, Ethernet networks accept silently undergone a above change. Earlier, they were congenital application hubs, but now about everywhere switches are used. This change becomes actual credible back we alpha to accede the furnishings on the traffic-capturing action and the accomplishing of advance apprehension systems. Let's see what the above aberration amid hubs and switches is and what problems a switched ambiance presents to IDS.
The primary aberration amid a about-face and a hub is that the hub is advised aggregate media or a distinct blow domain. Anything that one anchorage on a hub sees, all ports will see, such as that in Figure 9.1.
Click To expand
Figure 9.1: A Hub Broadcasts All Traffic
On the added hand, a about-face is a added able accessory than the boilerplate hub, it learns which MAC addresses are amid on anniversary of its ports and again food that advice in a lookup table. Back the about-face receives an Ethernet packet destined for a specific MAC address, the about-face assiduously it alone to the agnate port, as apparent in Figure 9.2.
Click To expand
Figure 9.2: About-face Operation
But there are exceptions to this aphorism on switches. The about-face will accelerate the anatomy out a distinct anchorage unless it is a advertisement frame, in which case all ports except the one the anatomy accustomed on will get a archetype of the frame. There is a additional modification to this aphorism if the frame's MAC abode is not in the forwarding table of the switch. In this situation, the about-face again "floods" the anatomy out of all of its ports except the one the anatomy accustomed on.
So, to analysis about-face admission in simple terms, a about-face consists of a set of one-port hubs (each port) which breach up the blow area into assorted blow domains. Since the about-face is a layer-2 device, the advertisement area does not change until we get to the router. Neither hubs nor switches will change the attack of the anatomy so we will see the appellation "transparent bridges," article which refers to the actuality that the anatomy attack is not afflicted in alteration through the hub or switch. It is this "switching" of the anatomy amid ports that makes our activity with the IDS sensor abundant added difficult, but not impossible.
The botheration airish by switches is that no amount how you affix a traffic-capturing accessory to a switch, it will not see any traffic, with the exclusion of advertisement packets. There are several options accessible to abstain this botheration (besides application hubs instead of switches, which is usually not applied from the point of appearance of bandwidth consumption).
One admission is to use arrangement curtains that tend to be acquiescent accessories and which are amid amid a monitored arrangement accessory and a switch. A arrangement tap copies the advice from the monitored articulation to a abstracted cable which is acquainted into an IDS sensor. Curtains are advised in a "fail-open" way so that if they breach or lose power, the monitored articulation is not affected. Curtains abide for about any blazon of band or affiliation speed, including optical and Gigabit Ethernet lines. We will altercate the acceptance of curtains in added detail at the end of this chapter.
Another way to abode the capturing problems created by switches is to use a SPAN ports feature, provided by best switches currently on the market. SPAN stands for About-face Anchorage Analyzer and is additionally sometimes alleged "port mirroring," although technically anchorage apery is a subset of anchorage spanning features. A about-face can be configured to accept a committed anchorage to which any packet that passes through the about-face is copied. Depending on the about-face model, this action can account an aerial in packet processing, although there are switches area spanning ports do not affect switching capacity.
Note
When application spanning ports, alone packets that get central the switching backplane are affected to the spanning port. So, for example, frames with incorrect CRCs are alone back they admission the about-face and are appropriately not affected to any of the SPAN ports.
The aftermost option, which is accessible alone with the Cisco Catalyst 6000 IDS Module, is to adviser arrangement cartage anon on a about-face backplane. Since IDSM has admission to the switching fabric, there is no charge to archetype packets amid ports to alter them to IDS, appropriately the alone agreement assignment actual is to specify the "interesting" cartage that needs to be monitored (see Figure 9.3). This is done application VLAN access-lists or VACLs, which we attending at in added detail next.
Click To expand
Figure 9.3: Monitoring Cartage by IDSM
All three options are discussed in this chapter, although the capital agency of application IDS in a switched ambiance is still the anchorage spanning feature, which will be declared in added detail than the added two.