RE: switch

[counter.spy () gmx de]

*sigh*

Maybe someone could add this to the FAQ, since I am getting somehow bored
with this switching, tapping, full-duplex, port mirroring,
datastreams merging and stateful inspection stuff ;)

Already in the FAQ:
Q: I'm on a switched network, can I still use Snort?

A: Being able to sniff on a switched network depends
on what type of switch is being used.  If the switch
can mirror traffic, then set the switch to mirror all
traffic to the snort machine's port.

Extended version:

A: There are several ways of deploying NIDS in switched environments which 
all have their pros and cons. Which method applies to your needs depends on
what kind of segments you want to monitor and on your budget.
Here are the most common methods:

method 1)
-if the switch can mirror traffic, then set the switch to mirror all
traffic to the snort machine's port. 

pros:
-Simple method, works with most decent switches.

drawbacks: 
-if the switch is a fast ethernet switch, you can mirror
100Mbit/s max. Since each switchport is capable of handling 100Mbit/s
for each direction, the banwidth per port sums up to 200Mbit/s, so the
switch 
will not be able to mirror all packets at high network utilization.
Another drawback is the fact, that some switches suffer from performance 
degradation through port mirroring.


method 2)
-inserting a hub in line, so you can simply tap all traffic off the hub.

pros:
Simple method
-No impact on switch performance and no need for special configuration

drawbacks:
-loss of full-duplex capabilities
-additional single point of failure

method 3)
-using network taps (such as those of shomiti/finisar and netoptics)

pros:
-no impact on switch performance and no need for special configuration
-stealth, ie sending data back to the switch (by the NIDS) is physically
prevented
-no single point of failure, the tap is "fail-open" so that the productive
link is
not interrupted if the power of the tap fails

drawbacks:
-the datastream is split into TX and RX, so you need two interface (NICs) on
the NIDS
for each monitored switchport.
-the two datastreams have to be recombined, ie merged, if you don't want to
lose
the capability of doing stateful analysis. This can be achieved by using
channel bonding (http://sourceforge.net/projects/bonding).

method 4)
-tapping all switchports (using the forementioned network taps) but only
tapping all
incoming packets (RX lines of the switchports), connecting those tap ports
to a
dedicated gigabit switch, which is capable of mirroring up to ten RX
taplines
to one single dedicated gigabit port, which is connected to a gigabit IDS
machine.
See also attached picture (may be copied and distributed for non commercial
purposes only ;-)
 
pros:
-this method is elegant if you want achieve maximum coverage (ie monitor all
switchports)
-no performance degradation of the productive switch
-stealth
-no need for special configuration of the productive switch

drawbacks:
-rather expensive method, so it will probably only pay for e-commerce
applications
and high security segments
-the NIDS machine has to be capable of handling gigabit datastreams

All this stuff is also discussed in my diploma thesis, which is now ready.
I will derive a technical paper, written in english, that will also treat
this topic. The paper will appear in september, for all those who are
interested.
Where, I do not yet know for sure (maybe on snort.org?) ;)

Hope that helps and reduces need for such question in the future :)

Greetings,
Detmar Liesen


-------------original message---------------------

> Hi Everybody,
>
> On Snort FAQ
>
> Q: I'm on a switched network, can I still use Snort?
>
> A: Being able to sniff on a switched network depends
> on what type of switch is being used.  If the switch
> can mirror traffic, then set the switch to mirror all
> traffic to the snort machine's port.
>
> I recently installed netgear Model FS 524. Does my
> switch capable of mirroring the traffic?
>
> Does anyone knows or HOWTO.  I want to learn about
> this.
>
> Your help is highly appreciated.
>
> Thanks
>
> brother in snort

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net