RE: IDS deployment on a Cat6500 series & which Snort box?

["Gary Halleen" <ghalleen () cisco com>]

Carlos,

I'll also reply privately.

I have a presentation I can send you that describes in detail the various
methods of capturing traffic for and IDS.  I work for Cisco, so obviously
this is focused towards using a Cisco sensor, but you'll find it valuable
for others as well.

Gary


> -----Original Message-----
> From: Carles Fragoso i Mariscal [mailto:cfragoso () cesca es] 
> Sent: Tuesday, May 25, 2004 4:13 PM
> To: James Williams
> Cc: focus-ids () securityfocus com
> Subject: RE: IDS deployment on a Cat6500 series & which Snort box?
>
>
> Hi James,
>
> Thank you for your answer.
>
> I know how to do a span port, I maybe did not explained my 
> question very well.
>
> If the traffic comes from different Gigabit ports and also 
> comes aggregated with other traffic is not very useful to do 
> a span port because you need a sensor for each span, and each 
> one has to deal with more traffic than the interesting one.
>
> So if we define certain hosts or IP ranges to monitor, a 
> granular solution is needed. I have been told that Cisco 
> Cat6500 could do it in two ways:
>
>  - ACE's in ACL's which can be used to set some traffic to be captured
>    by IDSM blade.
>
>  - ACE's in VACL's which can be applied to VLANs in order to forward a
>    copy of the traffic to a designed 'switchport monitor'
>
> I just wanted to know if someone has used it in order to get 
> some feedback and to know which one is more convenient. I 
> mentioned Snort because the second way I described could 
> allow to monitor a subset of traffic without using a blade 
> in-switch solution.
>
> Thanks also to those guys who replied privately to me,
>
> -- Carlos
>
> -----Mensaje original-----
> De: James Williams [mailto:jwilliams () itexch wtamu edu]
> Enviado el: martes, 25 de mayo de 2004 22:01
> Para: Carles Fragoso i Mariscal
> CC: focus-ids () securityfocus com
> Asunto: RE: IDS deployment on a Cat6500 series & which Snort box?
>
>
> Setting up a SPAN port on the Catalyst 6500 series switch is 
> easy. The command is:
>
> set span <source port/vlan> <destination port> both
>
> For Example:
>
> set span 1/1 1/2 both - creates a span port on port 1/2 that 
> sends all traffic from 1/1 to 1/2.
>
> set span 111 1/2 both - creates a span port on port 1/2 that 
> sends all traffic from vlan 111 to 1/2.
>
> Here is a document on configuring SPAN ports.
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _configuration
> _guide_chapter09186a008007e6fa.html
>
> SourceFire is a commercial version of Snort. The packaging is 
> very similar and the way it works is nearly identical. Snort 
> can handle gigabit interfaces very easily. Depending on your 
> snort setup would determine what kind of hardware you would 
> want. I personally like a distributed setup with at least two 
> IDS sensors and one management console. The IDS sensors will 
> need to have at least two nic cards. One nic will be 
> dedicated to listening for data on the span port and the 
> second nic will have a standard tcp/ip configuration. The 
> management station is a web server/database server and all 
> the IDS logs get stored into a database and viewed via a web 
> interface. It's very nice.
>
> Here are some excellent docs for you:
>
> http://www.snort.org/docs/
>
> If you go with snort a very good book to read is "Snort 2.1 - 
> Intrusion Detection"
>
> http://www.bookpool.com/.x/qd6gahkax8/sm/1931836043
>
> If you the Netscreen/Juniper IDP you will not be able to use 
> the intrusion prevention features with the SPAN setup. You 
> will have to put the IDP in-line with the connection.
>
> The Cisco IDS module seems to be a good product and 
> integrates well with the Catalyst 6500 series switch.
>
> http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/i
> ndex.html
>
> You may want to read more about it. There are some 
> limitations that may not be acceptable for the company, like 
> it can only inspect packets at 600Mbps (incoming/outgoing). 
> So you will need to keep things like that in mind because the 
> company may be to big for the Cisco IDS module to watch all 
> that traffic. Or if the company is rapidly growing, it may 
> rapidly out grow the IDS module. This would mean the company 
> would need to choose a more robust product.
>
> Hope this answers your questions,
>
> James Williams, GISF
> Network Systems Technician
> West Texas A&M University 
> \x4e\x65\x74\x77\x6f\x72\x6b\x20\x53\x65\x63\x75\x72\x69\x74\x
> 79\x20\x47\x65
> \x65\x6b
>
> -----Original Message-----
> From: Carles Fragoso i Mariscal [mailto:cfragoso () cesca es]
> Sent: Sunday, May 23, 2004 1:08 PM
> To: focus-ids () securityfocus com
> Subject: IDS deployment on a Cat6500 series & which Snort box?
>
> Hi,
>
> A customer of us is evaluating an outer IDS deployment on its 
> Internet Data Center (IDC) core network which consists on a 
> layer-3 enabled Cisco Catalyst 6500 series. Its network 
> traffic is under Gig speed but over >200Mbps.
>
> They have been told that the best choice would be a Cisco 
> IDSM2 which is a switch-in blade IDS because of it is a 
> network-node IDS and because IOS provides some kind of 
> L2/VLAN ACL's which could allow them to capture traffic 
> from/to selected sources/destinations to IDS (for instance: 
> critical hosts or subnets).
>
> Cisco IDSes seems not to be as well-featured as other 
> products: Netscreen IDP, SourceFire, ISS Proventia etc.
>
> I have been documenting on that and it seems that also exists 
> the possibility on Cat6500 to do L2/VLAN ACL's to forward 
> matched traffic to a span port, that could open the chance of 
> using any IDS on that port instead of switch-in only solution.
>
> - Has anyone a similar deployment to described that could 
> provide their
>   experience on that?
> - Any input regarding IDSM2 experience could also be useful.
>
> They have also asked me if an open-source solution such as 
> Snort could deal with Gig traffic and which computer platform 
> would be necessary? I have seen on NSS Group report that a 
> dual Xeon CPU with 1 Gig mem minimum for Snort 2.x branch is 
> recommended. I imagine that the NIC data bus with main board 
> should be big enough.
>
> - Any recommendation on which architecture could fit their 
> possible needs?
>
> Thanks in advance guys for your help,
>
> --------------------------------------------------------------
> --------------
> ----
> Carles Fragoso i Mariscal
> Anella Cientifica RREN Incident Response Team (ERIAC) - 
> Incident Handler Communications and Operations Dept. - 
> Supercomputing Center of Catalonia
> eMail: cfragoso () cesca es Phone: +34 932056464 Fax: +34 
> 932056979 iDBA: 13041*CFM
> --------------------------------------------------------------
> --------------
> ----
>
>
>
>
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------
>
>
>
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------

---------------------------------------------------------------------------