IDS mailing list archives

RE: about mirroring port

From: "David Vertie" <verticalrave () hotmail com>
Date: Fri, 21 Mar 2003 05:47:20 +0000

There are certain methods avaliable to handle the problem.

First however, I would recommend that you not try any 'mirroring' or 'portspanning' as they call it. This creates numerous problems within a network,and results in a bottleneck at the IDS. It also slows down the majorityspeed for users since traffic must be routed to its destination and to theIDS.

On some Cisco routers, I believe that you can use a 'tap port', which allowsyou to connect a high-bandwidth (I believe it is optical) cable to thesystem that will allow you to route all the traffic from the switch downonto multiple IDSes (or one IDS if you have hardly any traffic). Usuallywith the muliple IDS distributed network theory, a hardware box breaks uptraffic and sends it down to multiple boxes running IDS software (i.e.Snort), it is then filtered for any attempted intrusion attempts and loggedin one or more databases.

Something special about the tap port also that I want to note, is that thetap port is a one-way connection, so it is just as secure as the specialcable that people make to establish one-way connections to IDSes.

I'm not so certain about the commands on the cisco routers (i'm not toofamiliar with them right now), but I believe that you can find goodreferences on Cisco itself. Or rather, books provide lots of information.

From: "Rob Shein" <shoten () starpower net>
To: "'SB CH'" <chulmin2 () hotmail com>, <focus-ids () securityfocus com>
Subject: RE: about mirroring port
Date: Tue, 18 Mar 2003 22:36:22 -0500

Um...

If I understand correctly, you're concerned about your aggregate traffic
being greater than 100 Mbps, and therefore you will have problems with
setting up a snort-based IDS on your switch.  It also seems that you're
planning on forcing the sum of your network traffic to pass through your
snort IDS, to slow down the network traffic.  This is because you're
concerned that the IDS will not be able to keep up, as it's not very robust
hardware.

I don't recommend that you do any of this...even if I could come up with an
elegant way to transparently force all traffic on your switch to route
through one box in its travels, the impact on your network would be
horrendous, and the load on the linux box from actually handling the
packets (as well as analyzing them) would be worse than if it were merely
set up as a standard IDS.  Remember, the usability of the network comes
first, the IDS comes second; not the other way around.  Networks are not
installed so that the IDS will have something to do :)

What you can do, given the hardware you have and the options laid out for
you, I would recommend limiting the scope of your IDS monitoring to
inbound/outbound internet traffic, or perhaps to a select broadcast domain.
Either way, you end up dealing with a lesser amount of traffic, which
solves your aggregation problem as well as the challenge of not overloading
your IDS hardware.

> -----Original Message-----
> From: SB CH [mailto:chulmin2 () hotmail com]
> Sent: Monday, March 17, 2003 7:37 PM
> To: focus-ids () securityfocus com
> Subject: about mirroring port
>
>
>
> hello, all.
>
> I would like to setup ids(like snort) at mirroring port in
> cisco catalyst
> switch.
> but all of the network traffic is over 100M, and my linux
> server which
> installs snort is not so good hardware.
>
> So I think that when I setup snort at mirroring port, all
> traffic should
> via linux server so the network speed would be slow
>
> Question.
>
> 1. when I setup the mirroring port,all traffic(for example,
> port2 traffic)
> would transfer like this or just copy the traffic mirroring port too?
>
>  (1) client --> mirroring port1 --> port 2
>  (2) client --> port 2
>             --> mirroring port (copy too)
>
> 2. Is there any problem when I set snort at mirroring port if
> the traffic
> is so high(over 100~200M)?
>
> 3. do you know any commands to setup mirroring port at
> catalyst 400x(catos
> based) switch?
>
>
> Thanks in advance.
>
>
> _________________________________________________________________
> Çà¿îÀÇ ÁÖÀÎ°øÀÌ ÀÌ¹ø¿£ ³ªÀÏ²¨¾ß, ÁøÂ¥·ç... ÀÎÅÍ³Ý º¹±Ç
> http://www.msn.co.kr/money/interlotto/
>
>
> -----------------------------------------------------------
> ALERT: Exploiting Web Applications- A Step-by-Step Attack
> Analysis Learn why 70% of today's successful hacks involve
> Web Application attacks such as: SQL Injection, XSS, Cookie
> Manipulation and Parameter
> Manipulation.
> http://www.spidynamics.com/mktg/webappsecurity71
>

-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71



_________________________________________________________________

MSN 8 with e-mail virus protection service: 2 months FREE*http://join.msn.com/?page=features/virus



-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application

attacks such as: SQL Injection, XSS, Cookie Manipulation and ParameterManipulation.

http://www.spidynamics.com/mktg/webappsecurity71

Current thread:

about mirroring port SB CH (Mar 18)
- Re: about mirroring port nate (Mar 18)
- RE: about mirroring port Rob Shein (Mar 18)
- Re: about mirroring port Karel Chwistek (Mar 23)
- <Possible follow-ups>
- Re: about mirroring port Joe Magee (Mar 23)
  - Re: about mirroring port Dejan Markovic (Mar 26)
- RE: about mirroring port David Vertie (Mar 23)