After determining your budget and choosing an IDS product -- like Snort -- you need to figure out how many sensors you need and can afford. Before you can determine how many sensors you need, you must understand that Snort, or any other IDS, can only monitor traffic it can see. In the old days of a core router and hubs, this task was relatively simple -- you purchased as many intrusion detection systems as you could afford and placed one on each segment in descending order of risk and importance.
The second way to see all traffic despite using a network switch is to use smart or manageable switches with port spanning or mirroring capabilities. Needless to say, these network switches cost more, but they are already in use in all but the most basic and cost conscious environments. Consult your vendor documentation or the Web for detailed instructions on how to create mirror or span ports on your particular hardware. Here are a couple of Cisco guides to give you an idea:
You will need a span port for each VLAN. You are usually limited to a small number of span ports per switch (for several reasons, including bandwidth) so keep this in mind when designing your coverage. Sometimes an intrusion detection system from the switch vendor can overcome some of these limitations (e.g. the Cisco CSIDS blades). Other things to keep in mind are that span ports are usually read only, and they usually do not participate in spanning tree. (You should check with your vendor.)
The last way to tap in to your traffic is to use, well, a tap. Several companies manufacture cable taps (a.k.a. network taps) for CAT-5 and fiber. The taps are priced at several hundred U.S. dollars and up. They are easy to install, but getting them to work with the IDS sensor can be a challenge. Send and receive are often broken into two separate cables, so two network cards may be needed on the sensor.
Failure to understand how sniffing works in relation to switches and network segmentation is one of the most common problems first-time IDS implementers encounter. If your IDS sees no network traffic, or only broadcast and uni-directional traffic to/from itself, you almost certainly have a switch/span port issue. Depending on your IDS sensor solution, you can often run tcpdump or windump from the device to verify traffic. If you have an appliance or otherwise can't do it from the IDS sensor itself, use the above tools, Ethereal or another sniffer on your laptop plugged into the same switch port as your IDS.
SNORT INTRUSION DETECTION AND PREVENTION GUIDE
Why Snort makes IDS worth the time and effort
How to identify and monitor network ports
How to handle network design with switches and segments
Where to place IDS network sensors
Finding an OS for Snort IDS sensors.
How to determine network interface cards for IDS sensors
Modifying and writing custom Snort IDS rules
How to configure Snort variables
Where to find Snort IDS rules
How to automatically update Snort rules
How to decipher the Oinkcode for Snort's VRT rules
Using IDS rules to test Snort
|JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.|
This was first published in May 2005