Solved

IDS implementation/design

Posted on 2009-07-05
3
309 Views
Last Modified: 2013-11-29
We have 3 switches in our building that all connect back to a distribution switch.
The 3 switches on the first floor are Extreme Networks. The distribution switch is a Cisco 4507r

1. What is the easiest way to monitor each switch with an IDS? Do I need a physical connection from the IDS box, to each switch?

2. The inter-vlan routing occurs in the distribution switch (Cisco 4507r). Would it be possible to monitor ALL vlans with port monitoring? Or again, will I need a separate physical connection for each switch and each VLAN.

Using a dell server running RH Enterprise with Snort 2.8.4
Thanks
0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 24780904
#1  If you want to monitor traffic at a switch level then yes you would need a connection into each switch in your scenario.

#2  Since all intervlan traffic occurs in the 4507 you could monitor all vlans in the 4507.  This will only show you traffic as it flows into the 4507.  Realize that layer 2 or layer 3 traffic that will flow within the same switch will not be seen, however, this is usually sufficient unless there are a few particular ports that you want to make sure you see everything on in one of the remote closets.
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780923
Ken, thanks for the response. So is it safe to say best practices is to monitor at the VLAN level? Can this be accomplished by enabling port monitoring on trunk ports?

I understand that with this method, we cannot see hosts who talk amongst each other in the same VLAN. We would only see traffic going into the 4507r, destined for other networks. Am I correct by this?
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 24780951
This is how I typically set it up for my customers.  Try to get the most bang for your buck.  Monitor the vlan, not the trunk.  If I am not mistaken on the 4507 you can mirror the vlans.  I don't think you can mirror the trunk ports.    Also, realize that you won't get 100% of the traffic all of the time.  

Your second statement is correct with the exception of if the traffic is contained within a single vlan, and the traffic still flows through the 4500 because of the way the trunks are set up you will still see the traffic.  
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
802.1x and RDP Issues 6 74
Security Event Log - 4625 11 31
Blocking Websites with Security Groups in AWS 4 47
What's API gateway/firewall & how it's used 10 43
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question