RE: IDS deployment on a Cat6500 series & which Snort box?
From: Gary Halleen (ghalleen_at_cisco.com)
Date: 05/26/04
- Previous message: Rishi Pande: "RE: Suggestions"
- In reply to: Carles Fragoso i Mariscal: "RE: IDS deployment on a Cat6500 series & which Snort box?"
- Next in thread: Tony Carter: "Re: IDS deployment on a Cat6500 series & which Snort box?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Carles Fragoso i Mariscal'" <cfragoso@cesca.es>, "'James Williams'" <jwilliams@itexch.wtamu.edu> Date: Wed, 26 May 2004 09:35:47 -0700
Carlos,
I'll also reply privately.
I have a presentation I can send you that describes in detail the various
methods of capturing traffic for and IDS. I work for Cisco, so obviously
this is focused towards using a Cisco sensor, but you'll find it valuable
for others as well.
Gary
> -----Original Message-----
> From: Carles Fragoso i Mariscal [mailto:cfragoso@cesca.es]
> Sent: Tuesday, May 25, 2004 4:13 PM
> To: James Williams
> Cc: focus-ids@securityfocus.com
> Subject: RE: IDS deployment on a Cat6500 series & which Snort box?
>
>
> Hi James,
>
> Thank you for your answer.
>
> I know how to do a span port, I maybe did not explained my
> question very well.
>
> If the traffic comes from different Gigabit ports and also
> comes aggregated with other traffic is not very useful to do
> a span port because you need a sensor for each span, and each
> one has to deal with more traffic than the interesting one.
>
> So if we define certain hosts or IP ranges to monitor, a
> granular solution is needed. I have been told that Cisco
> Cat6500 could do it in two ways:
>
> - ACE's in ACL's which can be used to set some traffic to be captured
> by IDSM blade.
>
> - ACE's in VACL's which can be applied to VLANs in order to forward a
> copy of the traffic to a designed 'switchport monitor'
>
> I just wanted to know if someone has used it in order to get
> some feedback and to know which one is more convenient. I
> mentioned Snort because the second way I described could
> allow to monitor a subset of traffic without using a blade
> in-switch solution.
>
> Thanks also to those guys who replied privately to me,
>
> -- Carlos
>
> -----Mensaje original-----
> De: James Williams [mailto:jwilliams@itexch.wtamu.edu]
> Enviado el: martes, 25 de mayo de 2004 22:01
> Para: Carles Fragoso i Mariscal
> CC: focus-ids@securityfocus.com
> Asunto: RE: IDS deployment on a Cat6500 series & which Snort box?
>
>
> Setting up a SPAN port on the Catalyst 6500 series switch is
> easy. The command is:
>
> set span <source port/vlan> <destination port> both
>
> For Example:
>
> set span 1/1 1/2 both - creates a span port on port 1/2 that
> sends all traffic from 1/1 to 1/2.
>
> set span 111 1/2 both - creates a span port on port 1/2 that
> sends all traffic from vlan 111 to 1/2.
>
> Here is a document on configuring SPAN ports.
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _configuration
> _guide_chapter09186a008007e6fa.html
>
> SourceFire is a commercial version of Snort. The packaging is
> very similar and the way it works is nearly identical. Snort
> can handle gigabit interfaces very easily. Depending on your
> snort setup would determine what kind of hardware you would
> want. I personally like a distributed setup with at least two
> IDS sensors and one management console. The IDS sensors will
> need to have at least two nic cards. One nic will be
> dedicated to listening for data on the span port and the
> second nic will have a standard tcp/ip configuration. The
> management station is a web server/database server and all
> the IDS logs get stored into a database and viewed via a web
> interface. It's very nice.
>
> Here are some excellent docs for you:
>
> http://www.snort.org/docs/
>
> If you go with snort a very good book to read is "Snort 2.1 -
> Intrusion Detection"
>
> http://www.bookpool.com/.x/qd6gahkax8/sm/1931836043
>
> If you the Netscreen/Juniper IDP you will not be able to use
> the intrusion prevention features with the SPAN setup. You
> will have to put the IDP in-line with the connection.
>
> The Cisco IDS module seems to be a good product and
> integrates well with the Catalyst 6500 series switch.
>
> http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/i
> ndex.html
>
> You may want to read more about it. There are some
> limitations that may not be acceptable for the company, like
> it can only inspect packets at 600Mbps (incoming/outgoing).
> So you will need to keep things like that in mind because the
> company may be to big for the Cisco IDS module to watch all
> that traffic. Or if the company is rapidly growing, it may
> rapidly out grow the IDS module. This would mean the company
> would need to choose a more robust product.
>
> Hope this answers your questions,
>
> James Williams, GISF
> Network Systems Technician
> West Texas A&M University
> \x4e\x65\x74\x77\x6f\x72\x6b\x20\x53\x65\x63\x75\x72\x69\x74\x
> 79\x20\x47\x65
> \x65\x6b
>
> -----Original Message-----
> From: Carles Fragoso i Mariscal [mailto:cfragoso@cesca.es]
> Sent: Sunday, May 23, 2004 1:08 PM
> To: focus-ids@securityfocus.com
> Subject: IDS deployment on a Cat6500 series & which Snort box?
>
> Hi,
>
> A customer of us is evaluating an outer IDS deployment on its
> Internet Data Center (IDC) core network which consists on a
> layer-3 enabled Cisco Catalyst 6500 series. Its network
> traffic is under Gig speed but over >200Mbps.
>
> They have been told that the best choice would be a Cisco
> IDSM2 which is a switch-in blade IDS because of it is a
> network-node IDS and because IOS provides some kind of
> L2/VLAN ACL's which could allow them to capture traffic
> from/to selected sources/destinations to IDS (for instance:
> critical hosts or subnets).
>
> Cisco IDSes seems not to be as well-featured as other
> products: Netscreen IDP, SourceFire, ISS Proventia etc.
>
> I have been documenting on that and it seems that also exists
> the possibility on Cat6500 to do L2/VLAN ACL's to forward
> matched traffic to a span port, that could open the chance of
> using any IDS on that port instead of switch-in only solution.
>
> - Has anyone a similar deployment to described that could
> provide their
> experience on that?
> - Any input regarding IDSM2 experience could also be useful.
>
> They have also asked me if an open-source solution such as
> Snort could deal with Gig traffic and which computer platform
> would be necessary? I have seen on NSS Group report that a
> dual Xeon CPU with 1 Gig mem minimum for Snort 2.x branch is
> recommended. I imagine that the NIC data bus with main board
> should be big enough.
>
> - Any recommendation on which architecture could fit their
> possible needs?
>
> Thanks in advance guys for your help,
>
> --------------------------------------------------------------
> --------------
> ----
> Carles Fragoso i Mariscal
> Anella Cientifica RREN Incident Response Team (ERIAC) -
> Incident Handler Communications and Operations Dept. -
> Supercomputing Center of Catalonia
> eMail: cfragoso@cesca.es Phone: +34 932056464 Fax: +34
> 932056979 iDBA: 13041*CFM
> --------------------------------------------------------------
> --------------
> ----
>
>
>
>
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------
>
>
>
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Rishi Pande: "RE: Suggestions"
- In reply to: Carles Fragoso i Mariscal: "RE: IDS deployment on a Cat6500 series & which Snort box?"
- Next in thread: Tony Carter: "Re: IDS deployment on a Cat6500 series & which Snort box?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
