RE: IDS in a loadbalanced Network

Hi *

Well I am not actually looking for a specific product, as i do some
research for a diploma thesis, but this thesis will probably used for
some kind of intrusion detection rollout (hopefully).

I am currentley searching for "good ways" to place IDS in our
datacenter. We have multiple STM-1 Conections to the internet, several
seperate server rooms which are connected by portchannels. We use
C6506-couples (for redundancy) as Backbone switches and C4006 as Access
Switches where the Servers connect. Each access switch is coupled to at
least two different backbone routers with trunks.
Apart from getting like a general how-bad-is-the-internet-overview, the
general plans of usage for an IDS are not elaborted only the typical "we
need a IDS to be secure" *sigh*

So it's kinda my job to show a scope for an IDS and some practical tips
of how to use an IDS here.

I'm not looking for a Cisco specific solution, but as we have lots of
Cisco equiptment i thought i' better mention that.

Some guys setup a little snort box to analyse Attacks from the internet,
and want to introduce another IDS in the backbone... Which is at least
in my eyes not the best place for a IDS, as there is lot of traffic, and
i believe some more bt smarter, better configured (better as it is
easier to setup/control rules for different VLANS/DMZ as for doing a
overall check)
Problem for me is now: specific Vlans may be present in different Server
Rooms connected from/to different switches. So there is no single switch
where a complete Vlan is sitting on, as this may be routed according to
L3 costs over different Backbone switches to the target access switch.

Uhh hope i described it not too confused, sorry for my medicore english.


-----Original Message-----
From: SanjayR [mailto:sanjayr@xxxxxxxxxx]
Sent: Friday, September 08, 2006 7:25 AM
To: Scholten, Jan; focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: IDS in a loadbalanced Network

Hi Jan:
I am not clear on whether you are looking for
some general IDS solution or you have some
particular product in mind, as you have given the
example of Cisco switch. so, let us consider that
model. According to my understanding, Cisco 6500
series has inbulit module for IDS/firewall.
".......The Cisco(r) Catalyst(r) 6500 Series
Intrusion Detection System Services Module
(IDSM-2) is an important intrusion prevention
system (IPS) solution for safeguarding
organizations from costly and debilitating
network breaches and for helping to ensure
business continuity." If you are using this
switch, then irrespective of VLans, you can
monitor the traffic for melicious activities.
Now let us consider a general scenario. The basic
philosophy behind any monitoring device is
visibility of activities/traffic. So, one must
keep the device at a point where it can see the
maximum traffic (it is known, anyway). In case of
VLANs, your IDS should be able to interpret VLAN
format. 802.1Q is the IEEE standard for tagging
frames on a trunk (Trunks are used to carry
traffic that belongs to multiple VLANs between
devices over the same link.). ISL and 802.1Q are
two types of encapsulation that are used to carry
data from multiple VLANs over trunk links. If you
are sure that your IDS is capable of decoding
VLAN traffic, you can plug that in a spanning port (as you suggested).
In case of HSRP, if I am correct, you will be
connecting the redundant routers (or switches) by
using some switch/hub, where one device will be
acting as HSRP virtual router. So, in a way, all
the traffic is coming to that switch and again,
you can configure one of the ports as spanning and keep
monitoring the traffic.

so...have i added something useful?

Intoto Softwares
Computer Security: A little delay to break into your network.

-- DSR

At 03:56 PM 9/7/2006, Scholten, Jan wrote:

While searching for a matching IDS I encountered some problems.

Having a network structure with lots of seperate Vlans and/or DMZs
networks, i am wondering what is the best way to place an IDS in a
redundant L3Switch/router (C6506/7300) with HSRP and PortChannel
Loadbalancing for Vlans.
Is there a bestpractice how to place an ids in a vlan, using
a span port
on each of the devices (running in active/active), or is
there a better

Regards from Germany
Jan Scholten

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.