RE: IDS in a loadbalanced Network

["Scholten, Jan" <jan.scholten () siemens com>]

Hi *

Well I am not actually looking for a specific product, as i do some
research for a diploma thesis, but this thesis will probably used for
some kind of intrusion detection rollout (hopefully).

I am currentley searching for "good ways" to place IDS in our
datacenter. We have multiple STM-1 Conections to the internet, several
seperate server rooms which are connected by portchannels. We use
C6506-couples (for redundancy) as Backbone switches and C4006 as Access
Switches where the Servers connect. Each access switch is coupled to at
least two different backbone routers with trunks. 
Apart from getting like a general how-bad-is-the-internet-overview, the
general plans of usage for an IDS are not elaborted only the typical "we
need a IDS to be secure" *sigh*

So it's kinda my job to show a scope for an IDS and some practical tips
of how to use an IDS here.

I'm not looking for a Cisco specific solution, but as we have lots of
Cisco equiptment i thought i' better mention that.

Some guys setup a little snort box to analyse Attacks from the internet,
and want to introduce another IDS in the backbone... Which is at least
in my eyes not the best place for a IDS, as there is lot of traffic, and
i believe some more bt smarter, better configured (better as it is
easier to setup/control rules for different VLANS/DMZ as for doing a
overall check)
Problem for me is now: specific Vlans may be present in different Server
Rooms connected from/to different switches. So there is no single switch
where a complete Vlan is sitting on, as this may be routed according to
L3 costs over different Backbone switches to the target access switch. 

Uhh hope i described it not too confused, sorry for my medicore english.

Jan 

> -----Original Message-----
> From: SanjayR [mailto:sanjayr () intoto com] 
> Sent: Friday, September 08, 2006 7:25 AM
> To: Scholten, Jan; focus-ids () securityfocus com
> Subject: Re: IDS in a loadbalanced Network
>
> Hi Jan:
> I am not clear on whether you are looking for 
> some general IDS solution or you have some 
> particular product in mind, as you have given the 
> example of Cisco switch. so, let us consider that 
> model. According to my understanding, Cisco 6500 
> series has inbulit module for IDS/firewall. 
> ".......The Cisco(r) Catalyst(r) 6500 Series 
> Intrusion Detection System Services Module 
> (IDSM-2) is an important intrusion prevention 
> system (IPS) solution for safeguarding 
> organizations from costly and debilitating 
> network breaches and for helping to ensure 
> business continuity." If you are using this 
> switch, then irrespective of VLans, you can 
> monitor the traffic for melicious activities.
> Now let us consider a general scenario. The basic 
> philosophy behind any monitoring device is 
> visibility of activities/traffic. So, one must 
> keep the device at a point where it can see the 
> maximum traffic (it is known, anyway). In case of 
> VLANs, your IDS should be able to interpret VLAN 
> format. 802.1Q is the IEEE standard for tagging 
> frames on a trunk (Trunks are used to carry 
> traffic that belongs to multiple VLANs between 
> devices over the same link.). ISL and 802.1Q are 
> two types of encapsulation that are used to carry 
> data from multiple VLANs over trunk links. If you 
> are sure that your IDS is capable of decoding 
> VLAN traffic, you can plug that in a spanning port (as you suggested).
> In case of HSRP, if I am correct, you will be 
> connecting the redundant routers (or switches) by 
> using some switch/hub, where one device will be 
> acting as HSRP virtual router. So, in a way, all 
> the traffic is coming to that switch and again, 
> you can configure one of the ports as spanning and keep 
> monitoring the traffic.
>
> so...have i added something useful?
>
> thanks
> -Sanjay
> Intoto Softwares
> Computer Security: A little delay to break into your network.
>                                                               
>            -- DSR
>
>
> At 03:56 PM 9/7/2006, Scholten, Jan wrote:
> > Hi!
> >
> > While searching for a matching IDS I encountered some problems.
> >
> > Having a network structure with lots of seperate Vlans and/or DMZs
> > networks, i am wondering what is the best way to place an IDS in a
> > redundant L3Switch/router (C6506/7300) with HSRP and PortChannel
> > Loadbalancing for Vlans.
> > Is there a bestpractice how to place an ids in a vlan, using 
> a span port
> > on each of the devices (running in active/active), or is 
> there a better
> > solution?
> >
> > Regards from Germany
> > Jan Scholten
> >
> >
> > -------------------------------------------------------------
> -----------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > -------------------------------------------------------------
> -----------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------