Firewall Wizards mailing list archives
Re: The devil's in the details
From: czarcone () rpm com
Date: Wed, 14 Jul 1999 09:14:01 -0400
Matt, Some switch manufacturer *did* think of this ahead of time. Cisco's Catalyst series of switches has a neat feature called "span" (not to be confused with Spanning Tree). "span" does exactly what you're looking for; it redirects all transmit/receive traffic from any switched port to any other switched port. Highly useful for sniffing, and by extension, Intrusion Detection Systems. So, let's say you're on a Catalyst, and you want to direct all traffic from Ethernet slot4/port7 to Ethernet slot6/port12. You would enter the switch's enable mode and type: set span 4/7 6/12 Note that the source port (the port you want to sniff) comes first and the destination port (the port where your sniffer/IDS is listening) comes second. DON'T REVERSE THE ORDER OF THE PORTS. The result of reversing the ports should be obvious. (This once happened to a friend of mine. The results were comical to say the least). You can also span an entire VLAN if you have defined one on the switch. This might allow you to sniff, say, your entire perimeter network, not just a single firewall interface. In theory, the aggregated bandwidth of an entire VLAN can outpace a single port, in which case you could potentially lose some packets. It really depends on the configuration of your VLANs, the size of VLAN broadcast domains, the bandwidth of your firewall's ISP connection, your site usage patterns, etc. You also need to consider the efficiency of your IDS's NIC, not all NICs are created equal. If you want to sniff an *entire* switch (and switches like the Catalyst can be pretty densely populated) you might need those Gigabit blades after all... Regards, Christopher Zarcone Network Security Consultant RPM Consulting, Inc. #include <std.disclaimer.h>
Date: Tue, 13 Jul 1999 01:14:02 -0400 From: Matt Dunn <matt () electrocentric com> Subject: The devil's in the details
Hi all,
I'm doing some preliminary planning for a security configuration, and I have what may be a silly question about setting up an IDS. I looked around a bit, and even asked a couple people (who laughed, but it didn't sound like it was because the question was silly, more of a 'good luck' kind of laugh..)
My problem is that a couple of my networks involve switches, which, as part of the new and improved security policy, will involve VLANs.
I could throw the IDS on a hub with the firewall and connect that to the switch, but that doesn't do anything for internal threats (which are what is necessitating the VLANs.)
Has anyone figured out a good way to set something like this up? Ideally, some switch manufacturer would have thought of this ahead of time, and made a port on the switch that dumped all the packets, but then you're dealing with packet loss unless that one port is significantly faster than the rest of the switch. I could try to figure out some policy based configuration, but I don't want to go buy a gigabit plane for each of my switches, and it doesn't sit right with me to depend on the switch management elements for the completeness of my security data.
Any responses would be appreciated.
- -Matt
Current thread:
- The devil's in the details Matt Dunn (Jul 13)
- Re: The devil's in the details Paul V. Alukal (Jul 13)
- Re: The devil's in the details David Lang (Jul 13)
- Re: The devil's in the details Lance Spitzner (Jul 14)
- Re: The devil's in the details David Lang (Jul 14)
- Re: The devil's in the details Lance Spitzner (Jul 14)
- Re: The devil's in the details Technical Incursion Countermeasures (Jul 14)
- RE: The devil's in the details Thomas Crowe (Jul 14)
- RE: The devil's in the details Brian W. Laing (Jul 14)
- Re: The devil's in the details Security Administrator (Jul 14)
- <Possible follow-ups>
- Re: The devil's in the details czarcone (Jul 14)
- Re: The devil's in the details Tina Lamias (Jul 23)
- RE: The devil's in the details Kyle Starkey (Jul 14)
- Re: The devil's in the details czarcone (Jul 23)