Solved

IDS implementation/design

Posted on 2009-07-05
3
313 Views
Last Modified: 2013-11-29
We have 3 switches in our building that all connect back to a distribution switch.
The 3 switches on the first floor are Extreme Networks. The distribution switch is a Cisco 4507r

1. What is the easiest way to monitor each switch with an IDS? Do I need a physical connection from the IDS box, to each switch?

2. The inter-vlan routing occurs in the distribution switch (Cisco 4507r). Would it be possible to monitor ALL vlans with port monitoring? Or again, will I need a separate physical connection for each switch and each VLAN.

Using a dell server running RH Enterprise with Snort 2.8.4
Thanks
0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 24780904
#1  If you want to monitor traffic at a switch level then yes you would need a connection into each switch in your scenario.

#2  Since all intervlan traffic occurs in the 4507 you could monitor all vlans in the 4507.  This will only show you traffic as it flows into the 4507.  Realize that layer 2 or layer 3 traffic that will flow within the same switch will not be seen, however, this is usually sufficient unless there are a few particular ports that you want to make sure you see everything on in one of the remote closets.
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780923
Ken, thanks for the response. So is it safe to say best practices is to monitor at the VLAN level? Can this be accomplished by enabling port monitoring on trunk ports?

I understand that with this method, we cannot see hosts who talk amongst each other in the same VLAN. We would only see traffic going into the 4507r, destined for other networks. Am I correct by this?
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 24780951
This is how I typically set it up for my customers.  Try to get the most bang for your buck.  Monitor the vlan, not the trunk.  If I am not mistaken on the 4507 you can mirror the vlans.  I don't think you can mirror the trunk ports.    Also, realize that you won't get 100% of the traffic all of the time.  

Your second statement is correct with the exception of if the traffic is contained within a single vlan, and the traffic still flows through the 4500 because of the way the trunks are set up you will still see the traffic.  
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question