IDS mailing list archives
RE: IDS in a loadbalanced Network
From: "Scholten, Jan" <jan.scholten () siemens com>
Date: Fri, 8 Sep 2006 13:29:44 +0200
Hi * Well I am not actually looking for a specific product, as i do some research for a diploma thesis, but this thesis will probably used for some kind of intrusion detection rollout (hopefully). I am currentley searching for "good ways" to place IDS in our datacenter. We have multiple STM-1 Conections to the internet, several seperate server rooms which are connected by portchannels. We use C6506-couples (for redundancy) as Backbone switches and C4006 as Access Switches where the Servers connect. Each access switch is coupled to at least two different backbone routers with trunks. Apart from getting like a general how-bad-is-the-internet-overview, the general plans of usage for an IDS are not elaborted only the typical "we need a IDS to be secure" *sigh* So it's kinda my job to show a scope for an IDS and some practical tips of how to use an IDS here. I'm not looking for a Cisco specific solution, but as we have lots of Cisco equiptment i thought i' better mention that. Some guys setup a little snort box to analyse Attacks from the internet, and want to introduce another IDS in the backbone... Which is at least in my eyes not the best place for a IDS, as there is lot of traffic, and i believe some more bt smarter, better configured (better as it is easier to setup/control rules for different VLANS/DMZ as for doing a overall check) Problem for me is now: specific Vlans may be present in different Server Rooms connected from/to different switches. So there is no single switch where a complete Vlan is sitting on, as this may be routed according to L3 costs over different Backbone switches to the target access switch. Uhh hope i described it not too confused, sorry for my medicore english. Jan
-----Original Message----- From: SanjayR [mailto:sanjayr () intoto com] Sent: Friday, September 08, 2006 7:25 AM To: Scholten, Jan; focus-ids () securityfocus com Subject: Re: IDS in a loadbalanced Network Hi Jan: I am not clear on whether you are looking for some general IDS solution or you have some particular product in mind, as you have given the example of Cisco switch. so, let us consider that model. According to my understanding, Cisco 6500 series has inbulit module for IDS/firewall. ".......The Cisco(r) Catalyst(r) 6500 Series Intrusion Detection System Services Module (IDSM-2) is an important intrusion prevention system (IPS) solution for safeguarding organizations from costly and debilitating network breaches and for helping to ensure business continuity." If you are using this switch, then irrespective of VLans, you can monitor the traffic for melicious activities. Now let us consider a general scenario. The basic philosophy behind any monitoring device is visibility of activities/traffic. So, one must keep the device at a point where it can see the maximum traffic (it is known, anyway). In case of VLANs, your IDS should be able to interpret VLAN format. 802.1Q is the IEEE standard for tagging frames on a trunk (Trunks are used to carry traffic that belongs to multiple VLANs between devices over the same link.). ISL and 802.1Q are two types of encapsulation that are used to carry data from multiple VLANs over trunk links. If you are sure that your IDS is capable of decoding VLAN traffic, you can plug that in a spanning port (as you suggested). In case of HSRP, if I am correct, you will be connecting the redundant routers (or switches) by using some switch/hub, where one device will be acting as HSRP virtual router. So, in a way, all the traffic is coming to that switch and again, you can configure one of the ports as spanning and keep monitoring the traffic. so...have i added something useful? thanks -Sanjay Intoto Softwares Computer Security: A little delay to break into your network. -- DSR At 03:56 PM 9/7/2006, Scholten, Jan wrote:Hi! While searching for a matching IDS I encountered some problems. Having a network structure with lots of seperate Vlans and/or DMZs networks, i am wondering what is the best way to place an IDS in a redundant L3Switch/router (C6506/7300) with HSRP and PortChannel Loadbalancing for Vlans. Is there a bestpractice how to place an ids in a vlan, usinga span porton each of the devices (running in active/active), or isthere a bettersolution? Regards from Germany Jan Scholten ------------------------------------------------------------------------Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go tohttp://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS in a loadbalanced Network Scholten, Jan (Sep 07)
- <Possible follow-ups>
- RE: IDS in a loadbalanced Network Palmer, Paul (ISSAtlanta) (Sep 08)
- Re: IDS in a loadbalanced Network Adam Powers (Sep 08)
- RE: IDS in a loadbalanced Network Scholten, Jan (Sep 08)