Re: IDS deployment on a Cat6500 series & which Snort box?

["minime" <zballa () comcast net>]

We have a few 6513s and IDPs. You can have more than one span port on the
6500, actually you can have two. The trick is you have to use the word
create when you define the second span port. We are running our 6500s in
mixed mode and we have no problem creating two span ports which are
monitoring vlans. From the IDPs we have fiber and copper connections to the
6500s. If we need to span a server port than we drop the copper connection
for the IDPs and re-configure the span port to monitor a server port.


----- Original Message ----- 
From: "Losinski, Robert" <Robert_Losinski () dpsk12 org>
To: "JR" <rameskr () yahoo com>; "Gary Halleen" <ghalleen () cisco com>; "Carles
Fragoso i Mariscal" <cfragoso () cesca es>; "James Williams"
<jwilliams () itexch wtamu edu>
Cc: <focus-ids () securityfocus com>
Sent: Monday, June 07, 2004 11:42 AM
Subject: RE: IDS deployment on a Cat6500 series & which Snort box?


I've been discussing this with our Cisco reps and they suggested we use
VLAN ACLs to replicate the traffic to an output port. While it remains
true that a Cisco switch can only have one mirror port. You can have
multiple VLAN ACL ports.

--Robert

-----Original Message-----
From: JR [mailto:rameskr () yahoo com]
Sent: Sunday, June 06, 2004 2:06 AM
To: Gary Halleen; 'Carles Fragoso i Mariscal'; 'James Williams'
Cc: focus-ids () securityfocus com
Subject: RE: IDS deployment on a Cat6500 series & which Snort box?

Hi,

While setting up the Cisco 6500 port for span in
Native IOS, we lose an basic option of enabling
incoming pkts which was possible in all CATOS switches
and hence you can't connect to that IDS box through
that span port remotely and also that IDS connected to
that span port can't do packet injection like blocking
unwanted traffic. It will be just in promisuous mode(a
passive listener).

I have tested this and don't find any way out. Has
anyone seen this problem with "session monitor"
command?

Regards,

Ramesh




--- Gary Halleen <ghalleen () cisco com> wrote:
> Carlos,
>
> I'll also reply privately.
>
> I have a presentation I can send you that describes
> in detail the various
> methods of capturing traffic for and IDS.  I work
> for Cisco, so obviously
> this is focused towards using a Cisco sensor, but
> you'll find it valuable
> for others as well.
>
> Gary
>
>
> > -----Original Message-----
> > From: Carles Fragoso i Mariscal
> [mailto:cfragoso () cesca es]
> > Sent: Tuesday, May 25, 2004 4:13 PM
> > To: James Williams
> > Cc: focus-ids () securityfocus com
> > Subject: RE: IDS deployment on a Cat6500 series &
> which Snort box?
> > Hi James,
> >
> > Thank you for your answer.
> >
> > I know how to do a span port, I maybe did not
> explained my
> > question very well.
> >
> > If the traffic comes from different Gigabit ports
> and also
> > comes aggregated with other traffic is not very
> useful to do
> > a span port because you need a sensor for each
> span, and each
> > one has to deal with more traffic than the
> interesting one.
> > So if we define certain hosts or IP ranges to
> monitor, a
> > granular solution is needed. I have been told that
> Cisco
> > Cat6500 could do it in two ways:
> >
> >  - ACE's in ACL's which can be used to set some
> traffic to be captured
> >    by IDSM blade.
> >
> >  - ACE's in VACL's which can be applied to VLANs
> in order to forward a
> >    copy of the traffic to a designed 'switchport
> monitor'
> > I just wanted to know if someone has used it in
> order to get
> > some feedback and to know which one is more
> convenient. I
> > mentioned Snort because the second way I described
> could
> > allow to monitor a subset of traffic without using
> a blade
> > in-switch solution.
> >
> > Thanks also to those guys who replied privately to
> me,
> > -- Carlos
> >
> > -----Mensaje original-----
> > De: James Williams
> [mailto:jwilliams () itexch wtamu edu]
> > Enviado el: martes, 25 de mayo de 2004 22:01
> > Para: Carles Fragoso i Mariscal
> > CC: focus-ids () securityfocus com
> > Asunto: RE: IDS deployment on a Cat6500 series &
> which Snort box?
> > Setting up a SPAN port on the Catalyst 6500 series
> switch is
> > easy. The command is:
> >
> > set span <source port/vlan> <destination port>
> both
> > For Example:
> >
> > set span 1/1 1/2 both - creates a span port on
> port 1/2 that
> > sends all traffic from 1/1 to 1/2.
> >
> > set span 111 1/2 both - creates a span port on
> port 1/2 that
> > sends all traffic from vlan 111 to 1/2.
> >
> > Here is a document on configuring SPAN ports.
http://www.cisco.com/en/US/products/hw/switches/ps708/products
> > _configuration
> > _guide_chapter09186a008007e6fa.html
> >
> > SourceFire is a commercial version of Snort. The
> packaging is
> > very similar and the way it works is nearly
> identical. Snort
> > can handle gigabit interfaces very easily.
> Depending on your
> > snort setup would determine what kind of hardware
> you would
> > want. I personally like a distributed setup with
> at least two
> > IDS sensors and one management console. The IDS
> sensors will
> > need to have at least two nic cards. One nic will
> be
> > dedicated to listening for data on the span port
> and the
> > second nic will have a standard tcp/ip
> configuration. The
> > management station is a web server/database server
> and all
> > the IDS logs get stored into a database and viewed
> via a web
> > interface. It's very nice.
> >
> > Here are some excellent docs for you:
> >
> > http://www.snort.org/docs/
> >
> > If you go with snort a very good book to read is
> "Snort 2.1 -
> > Intrusion Detection"
> http://www.bookpool.com/.x/qd6gahkax8/sm/1931836043
> > If you the Netscreen/Juniper IDP you will not be
> able to use
> > the intrusion prevention features with the SPAN
> setup. You
> > will have to put the IDP in-line with the
> connection.
> > The Cisco IDS module seems to be a good product
> and
> > integrates well with the Catalyst 6500 series
> switch.
> >
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/i
> > ndex.html
> >
> > You may want to read more about it. There are some
>
> > limitations that may not be acceptable for the
> company, like
> > it can only inspect packets at 600Mbps
> (incoming/outgoing).
> > So you will need to keep things like that in mind
> because the
> > company may be to big for the Cisco IDS module to
> watch all
> > that traffic. Or if the company is rapidly
> growing, it may
> > rapidly out grow the IDS module. This would mean
> the company
> > would need to choose a more robust product.
> >
> > Hope this answers your questions,
> >
> > James Williams, GISF
> > Network Systems Technician
> > West Texas A&M University
\x4e\x65\x74\x77\x6f\x72\x6b\x20\x53\x65\x63\x75\x72\x69\x74\x
> > 79\x20\x47\x65
> > \x65\x6b
> >
> > -----Original Message-----
> > From: Carles Fragoso i Mariscal
> [mailto:cfragoso () cesca es]
> > Sent: Sunday, May 23, 2004 1:08 PM
> > To: focus-ids () securityfocus com
> > Subject: IDS deployment on a Cat6500 series &
> which Snort box?
> > Hi,
> >
> > A customer of us is evaluating an outer IDS
> deployment on its
> > Internet Data Center (IDC) core network which
> consists on a
> > layer-3 enabled Cisco Catalyst 6500 series. Its
> network
> > traffic is under Gig speed but over >200Mbps.
=== message truncated ===





__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

------------------------------------------------------------------------
---

------------------------------------------------------------------------
---


---------------------------------------------------------------------------

---------------------------------------------------------------------------


---------------------------------------------------------------------------

---------------------------------------------------------------------------