IDS mailing list archives
RE: IDS deployment on a Cat6500 series & which Snort box?
From: "Gary Halleen" <ghalleen () cisco com>
Date: Sun, 6 Jun 2004 01:40:20 -0700
You are correct that this is a limitation of the Catalyst 6500 when running IOS. This limitation also exists with VACL Capture when running in IOS. CatOS does not have these limitations. The sniffing interface of an IDS should not have an IP address, and you shouldn't be connecting to it from that interface. Instead, you should have a separate management interface, which ideally sits on a different, secure, network to prevent the IDS from being a target of an attack. A separate interface can also be configured to be the port to send TCP resets and other shunning activities. Gary
-----Original Message----- From: JR [mailto:rameskr () yahoo com] Sent: Sunday, June 06, 2004 1:06 AM To: Gary Halleen; 'Carles Fragoso i Mariscal'; 'James Williams' Cc: focus-ids () securityfocus com Subject: RE: IDS deployment on a Cat6500 series & which Snort box? Hi, While setting up the Cisco 6500 port for span in Native IOS, we lose an basic option of enabling incoming pkts which was possible in all CATOS switches and hence you can't connect to that IDS box through that span port remotely and also that IDS connected to that span port can't do packet injection like blocking unwanted traffic. It will be just in promisuous mode(a passive listener). I have tested this and don't find any way out. Has anyone seen this problem with "session monitor" command? Regards, Ramesh --- Gary Halleen <ghalleen () cisco com> wrote:Carlos, I'll also reply privately. I have a presentation I can send you that describes in detail the various methods of capturing traffic for and IDS. I work for Cisco, so obviously this is focused towards using a Cisco sensor, but you'll find it valuable for others as well. Gary-----Original Message----- From: Carles Fragoso i Mariscal[mailto:cfragoso () cesca es]Sent: Tuesday, May 25, 2004 4:13 PM To: James Williams Cc: focus-ids () securityfocus com Subject: RE: IDS deployment on a Cat6500 series &which Snort box?Hi James, Thank you for your answer. I know how to do a span port, I maybe did notexplained myquestion very well. If the traffic comes from different Gigabit portsand alsocomes aggregated with other traffic is not veryuseful to doa span port because you need a sensor for eachspan, and eachone has to deal with more traffic than theinteresting one.So if we define certain hosts or IP ranges tomonitor, agranular solution is needed. I have been told thatCiscoCat6500 could do it in two ways: - ACE's in ACL's which can be used to set sometraffic to be capturedby IDSM blade. - ACE's in VACL's which can be applied to VLANsin order to forward acopy of the traffic to a designed 'switchportmonitor'I just wanted to know if someone has used it inorder to getsome feedback and to know which one is moreconvenient. Imentioned Snort because the second way I describedcouldallow to monitor a subset of traffic without usinga bladein-switch solution. Thanks also to those guys who replied privately tome,-- Carlos -----Mensaje original----- De: James Williams[mailto:jwilliams () itexch wtamu edu]Enviado el: martes, 25 de mayo de 2004 22:01 Para: Carles Fragoso i Mariscal CC: focus-ids () securityfocus com Asunto: RE: IDS deployment on a Cat6500 series &which Snort box?Setting up a SPAN port on the Catalyst 6500 seriesswitch iseasy. The command is: set span <source port/vlan> <destination port>bothFor Example: set span 1/1 1/2 both - creates a span port onport 1/2 thatsends all traffic from 1/1 to 1/2. set span 111 1/2 both - creates a span port onport 1/2 thatsends all traffic from vlan 111 to 1/2. Here is a document on configuring SPAN ports.http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007e6fa.html SourceFire is a commercial version of Snort. Thepackaging isvery similar and the way it works is nearlyidentical. Snortcan handle gigabit interfaces very easily.Depending on yoursnort setup would determine what kind of hardwareyou wouldwant. I personally like a distributed setup withat least twoIDS sensors and one management console. The IDSsensors willneed to have at least two nic cards. One nic willbededicated to listening for data on the span portand thesecond nic will have a standard tcp/ipconfiguration. Themanagement station is a web server/database serverand allthe IDS logs get stored into a database and viewedvia a webinterface. It's very nice. Here are some excellent docs for you: http://www.snort.org/docs/ If you go with snort a very good book to read is"Snort 2.1 -Intrusion Detection"http://www.bookpool.com/.x/qd6gahkax8/sm/1931836043If you the Netscreen/Juniper IDP you will not beable to usethe intrusion prevention features with the SPANsetup. Youwill have to put the IDP in-line with theconnection.The Cisco IDS module seems to be a good productandintegrates well with the Catalyst 6500 seriesswitch.http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/index.html You may want to read more about it. There are somelimitations that may not be acceptable for thecompany, likeit can only inspect packets at 600Mbps(incoming/outgoing).So you will need to keep things like that in mindbecause thecompany may be to big for the Cisco IDS module towatch allthat traffic. Or if the company is rapidlygrowing, it mayrapidly out grow the IDS module. This would meanthe companywould need to choose a more robust product. Hope this answers your questions, James Williams, GISF Network Systems Technician West Texas A&M University\x4e\x65\x74\x77\x6f\x72\x6b\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x47\x65 \x65\x6b -----Original Message----- From: Carles Fragoso i Mariscal[mailto:cfragoso () cesca es]Sent: Sunday, May 23, 2004 1:08 PM To: focus-ids () securityfocus com Subject: IDS deployment on a Cat6500 series &which Snort box?Hi, A customer of us is evaluating an outer IDSdeployment on itsInternet Data Center (IDC) core network whichconsists on alayer-3 enabled Cisco Catalyst 6500 series. Itsnetworktraffic is under Gig speed but over >200Mbps.=== message truncated === __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: IDS deployment on a Cat6500 series & which Snort box? JR (Jun 07)
- RE: IDS deployment on a Cat6500 series & which Snort box? Gary Halleen (Jun 07)
- <Possible follow-ups>
- RE: IDS deployment on a Cat6500 series & which Snort box? Losinski, Robert (Jun 07)
- Re: IDS deployment on a Cat6500 series & which Snort box? minime (Jun 09)
- Re: IDS deployment on a Cat6500 series & which Snort box? James Fields (Jun 10)
- Re: IDS deployment on a Cat6500 series & which Snort box? minime (Jun 09)
- RE: IDS deployment on a Cat6500 series & which Snort box? Kliarsky, Adam D. (Jun 07)