Problem solve Get help with specific problems with your technologies, process and projects.

How to handle network design with switches and segments

Expert JP Vossen explains how to handle switches and segments in conjunction with network-based IDS.

So you have decided to implement Snort, a network-based intrusion-detection system (IDS), and you understand that it's basically a sniffer at heart. How do you monitor different network segments, especially when using network switches or VLANs (Virtual Local Area Networks)? The answer is, of course, "it depends."

After determining your budget and choosing an IDS product -- like Snort -- you need to figure out how many sensors you need and can afford. Before you can determine how many sensors you need, you must understand that Snort, or any other IDS, can only monitor traffic it can see. In the old days of a core router and hubs, this task was relatively simple -- you purchased as many intrusion detection systems as you could afford and placed one on each segment in descending order of risk and importance.

More Information

Learn more about intrusion detection and prevention with this learning guide.

Find out how to avoid VLAN attacks.

Network switches, unlike the older hubs, do not send all traffic on the segment (a.k.a. the broadcast domain) to every port. There are three basic ways around that. The first is to go back to using hubs in strategic places, which is sometimes frowned upon since it can reduce bandwidth and add another point of failure. In some cases, such as a low- to moderately-important service network (a.k.a. DMZ), it may make sense because it's inexpensive, very simple and works.

The second way to see all traffic despite using a network switch is to use smart or manageable switches with port spanning or mirroring capabilities. Needless to say, these network switches cost more, but they are already in use in all but the most basic and cost conscious environments. Consult your vendor documentation or the Web for detailed instructions on how to create mirror or span ports on your particular hardware. Here are a couple of Cisco guides to give you an idea:

  • Cisco Catalyst 4000 Series Switches
  • Cisco Catalyst 6500 Series Switches

You will need a span port for each VLAN. You are usually limited to a small number of span ports per switch (for several reasons, including bandwidth) so keep this in mind when designing your coverage. Sometimes an intrusion detection system from the switch vendor can overcome some of these limitations (e.g. the Cisco CSIDS blades). Other things to keep in mind are that span ports are usually read only, and they usually do not participate in spanning tree. (You should check with your vendor.)

The last way to tap in to your traffic is to use, well, a tap. Several companies manufacture cable taps (a.k.a. network taps) for CAT-5 and fiber. The taps are priced at several hundred U.S. dollars and up. They are easy to install, but getting them to work with the IDS sensor can be a challenge. Send and receive are often broken into two separate cables, so two network cards may be needed on the sensor.

Failure to understand how sniffing works in relation to switches and network segmentation is one of the most common problems first-time IDS implementers encounter. If your IDS sees no network traffic, or only broadcast and uni-directional traffic to/from itself, you almost certainly have a switch/span port issue. Depending on your IDS sensor solution, you can often run tcpdump or windump from the device to verify traffic. If you have an appliance or otherwise can't do it from the IDS sensor itself, use the above tools, Ethereal or another sniffer on your laptop plugged into the same switch port as your IDS.


  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort

JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was last published in May 2005

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)