How to handle network design with switches and segments

So you have decided to implement Snort, a network-based intrusion-detection system (IDS), and you understand that it's basically a sniffer at heart. How do you monitor different network segments, especially when using network switches or VLANs (Virtual Local Area Networks)? The answer is, of course, "it depends."

After determining your budget and choosing an IDS product -- like Snort -- you need to figure out how many sensors you need and can afford. Before you can determine how many sensors you need, you must understand that Snort, or any other IDS, can only monitor traffic it can see. In the old days of a core router and hubs, this task was relatively simple -- you purchased as many intrusion detection systems as you could afford and placed one on each segment in descending order of risk and importance.

Network switches, unlike the older hubs, do not send all traffic on the segment (a.k.a. the broadcast domain) to every port. There are three basic ways around that. The first is to go back to using hubs in strategic places, which is sometimes frowned upon since it can reduce bandwidth and add another point of failure. In some cases, such as a low- to moderately-important service network (a.k.a. DMZ), it may make sense because it's inexpensive, very simple and works.

The second way to see all traffic despite using a network switch is to use smart or manageable switches with port s...

• Cisco Catalyst 4000 Series Switches
• Cisco Catalyst 6500 Series Switches

You will need a span port for each VLAN. You are usually limited to a small number of span ports per switch (for several reasons, including bandwidth) so keep this in mind when designing your coverage. Sometimes an intrusion detection system from the switch vendor can overcome some of these limitations (e.g. the Cisco CSIDS blades). Other things to keep in mind are that span ports are usually read only, and they usually do not participate in spanning tree. (You should check with your vendor.)

The last way to tap in to your traffic is to use, well, a tap. Several companies manufacture cable taps (a.k.a. network taps) for CAT-5 and fiber. The taps are priced at several hundred U.S. dollars and up. They are easy to install, but getting them to work with the IDS sensor can be a challenge. Send and receive are often broken into two separate cables, so two network cards may be needed on the sensor.

Failure to understand how sniffing works in relation to switches and network segmentation is one of the most common problems first-time IDS implementers encounter. If your IDS sees no network traffic, or only broadcast and uni-directional traffic to/from itself, you almost certainly have a switch/span port issue. Depending on your IDS sensor solution, you can often run tcpdump or windump from the device to verify traffic. If you have an appliance or otherwise can't do it from the IDS sensor itself, use the above tools, Ethereal or another sniffer on your laptop plugged into the same switch port as your IDS.

ABOUT THE AUTHOR:

[IMAGE]JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.