How to handle network design with switches and segments

So you have decided to implement Snort, a network-based intrusion-detection system (IDS), and you understand that it's basically a sniffer at heart. How do you monitor different network segments, especially when using network switches or VLANs (Virtual Local Area Networks)? The answer is, of course, "it depends."

After determining your budget and choosing an IDS product -- like Snort -- you need to figure out how many sensors you need and can afford. Before you can determine how many sensors you need, you must understand that Snort, or any other IDS, can only monitor traffic it can see. In the old days of a core router and hubs, this task was relatively simple -- you purchased as many intrusion detection systems as you could afford and placed one on each segment in descending order of risk and importance.

More Information Learn more about intrusion detection and prevention with this learning guide. Find out how to avoid VLAN attacks.

Network switches, unlike the older hubs, do not send all traffic on the segment (a.k.a. the broadcast domain) to every port. There are three basic ways around that. The first is to go back to using hubs in strategic places, which is sometimes frowned upon since it can reduce bandwidth and add another point of failure. In some cases, such as a low- to moderately-important service network (a.k.a. DMZ), it may make sense because it's inexpensive, very simple and works.

The second way to see all traffic despite using a network switch is to use smart or manageable switches with port spanning or mirroring capabilities. Needless to say, these network switches cost more, but they are already in use in all but the most basic and cost conscious environments. Consult your vendor documentation or the Web for detailed instructions on how to create mirror or span ports on your particular hardware. Here are a couple of Cisco guides to give you an idea:

• Cisco Catalyst 4000 Series Switches
• Cisco Catalyst 6500 Series Switches

You will need a span port for each VLAN. You are usually limited to a small number of span ports per switch (for several reasons, including bandwidth) so keep this in mind when designing your coverage. Sometimes an intrusion detection system from the switch vendor can overcome some of these limitations (e.g. the Cisco CSIDS blades). Other things to keep in mind are that span ports are usually read only, and they usually do not participate in spanning tree. (You should check with your vendor.)

The last way to tap in to your traffic is to use, well, a tap. Several companies manufacture cable taps (a.k.a. network taps) for CAT-5 and fiber. The taps are priced at several hundred U.S. dollars and up. They are easy to install, but getting them to work with the IDS sensor can be a challenge. Send and receive are often broken into two separate cables, so two network cards may be needed on the sensor.

Failure to understand how sniffing works in relation to switches and network segmentation is one of the most common problems first-time IDS implementers encounter. If your IDS sees no network traffic, or only broadcast and uni-directional traffic to/from itself, you almost certainly have a switch/span port issue. Depending on your IDS sensor solution, you can often run tcpdump or windump from the device to verify traffic. If you have an appliance or otherwise can't do it from the IDS sensor itself, use the above tools, Ethereal or another sniffer on your laptop plugged into the same switch port as your IDS.

SNORT INTRUSION DETECTION AND PREVENTION GUIDE

  Introduction
  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort

ABOUT THE AUTHOR:

JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Network Intrusion Detection (IDS) What are best practices for creating an IDS and maintaining a signature database? Network intrusion prevention systems: Should enterprises deploy now? RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Network Intrusion Detection (IDS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.