Re: The devil's in the details

[Tina Lamias <tina.lamias () motorola com>]

Christopher,

But the 'span' does not allow you to send a reset to any *bad*
connection attempt does it?? I believe this is why we had to go with a
hub in a certain instance...we could 'watch' but not 'act.'

--Tina
czarcone () rpm com wrote:
> Matt,
>
> Some switch manufacturer *did* think of this ahead of time. Cisco's Catalyst
> series of switches has a neat feature called "span" (not to be confused with
> Spanning Tree). "span" does exactly what you're looking for; it redirects all
> transmit/receive traffic from any switched port to any other switched port.
> Highly useful for sniffing, and by extension, Intrusion Detection Systems.
>
> So, let's say you're on a Catalyst, and you want to direct all traffic from
> Ethernet slot4/port7 to Ethernet slot6/port12. You would enter the switch's
> enable mode and type:
>
> set span 4/7 6/12
>
> Note that the source port (the port you want to sniff) comes first and the
> destination port (the port where your sniffer/IDS is listening) comes second.
> DON'T REVERSE THE ORDER OF THE PORTS. The result of reversing the ports should
> be obvious. (This once happened to a friend of mine. The results were comical to
> say the least).
>
> You can also span an entire VLAN if you have defined one on the switch. This
> might allow you to sniff, say, your entire perimeter network, not just a single
> firewall interface. In theory, the aggregated bandwidth of an entire VLAN can
> outpace a single port, in which case you could potentially lose some packets. It
> really depends on the configuration of your VLANs, the size of VLAN broadcast
> domains, the bandwidth of your firewall's ISP connection, your site usage
> patterns, etc. You also need to consider the efficiency of your IDS's NIC, not
> all NICs are created equal.
>
> If you want to sniff an *entire* switch (and switches like the Catalyst can be
> pretty densely populated) you might need those Gigabit blades after all...
>
> Regards,
>
> Christopher Zarcone
> Network Security Consultant
> RPM Consulting, Inc.
> #include <std.disclaimer.h>
>
> > Date: Tue, 13 Jul 1999 01:14:02 -0400
> > From: Matt Dunn <matt () electrocentric com>
> > Subject: The devil's in the details
>
> > Hi all,
>
> > I'm doing some preliminary planning for a security configuration, and I
> > have what may be a silly question about setting up an IDS. I looked around
> > a bit, and even asked a couple people (who laughed, but it didn't sound
> > like it was because the question was silly, more of a 'good luck' kind of
> > laugh..)
>
> > My problem is that a couple of my networks involve switches, which, as part
> > of the new and improved security policy, will involve VLANs.
>
> > I could throw the IDS on a hub with the firewall and connect that to the
> > switch, but that doesn't do anything for internal threats (which are what
> > is necessitating the VLANs.)
>
> > Has anyone figured out a good way to set something like this up? Ideally,
> > some switch manufacturer would have thought of this ahead of time, and made
> > a port on the switch that dumped all the packets, but then you're dealing
> > with packet loss unless that one port is significantly faster than the rest
> > of the switch. I could try to figure out some policy based configuration,
> > but I don't want to go buy a gigabit plane for each of my switches, and it
> > doesn't sit right with me to depend on the switch management elements for
> > the completeness of my security data.
>
> > Any responses would be appreciated.
>
> > - -Matt