Solved

IDS implementation/design

Posted on 2009-07-05
3
288 Views
Last Modified: 2013-11-29
We have 3 switches in our building that all connect back to a distribution switch.
The 3 switches on the first floor are Extreme Networks. The distribution switch is a Cisco 4507r

1. What is the easiest way to monitor each switch with an IDS? Do I need a physical connection from the IDS box, to each switch?

2. The inter-vlan routing occurs in the distribution switch (Cisco 4507r). Would it be possible to monitor ALL vlans with port monitoring? Or again, will I need a separate physical connection for each switch and each VLAN.

Using a dell server running RH Enterprise with Snort 2.8.4
Thanks
0
Comment
Question by:WERAracer
  • 2
3 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 24780904
#1  If you want to monitor traffic at a switch level then yes you would need a connection into each switch in your scenario.

#2  Since all intervlan traffic occurs in the 4507 you could monitor all vlans in the 4507.  This will only show you traffic as it flows into the 4507.  Realize that layer 2 or layer 3 traffic that will flow within the same switch will not be seen, however, this is usually sufficient unless there are a few particular ports that you want to make sure you see everything on in one of the remote closets.
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780923
Ken, thanks for the response. So is it safe to say best practices is to monitor at the VLAN level? Can this be accomplished by enabling port monitoring on trunk ports?

I understand that with this method, we cannot see hosts who talk amongst each other in the same VLAN. We would only see traffic going into the 4507r, destined for other networks. Am I correct by this?
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 24780951
This is how I typically set it up for my customers.  Try to get the most bang for your buck.  Monitor the vlan, not the trunk.  If I am not mistaken on the 4507 you can mirror the vlans.  I don't think you can mirror the trunk ports.    Also, realize that you won't get 100% of the traffic all of the time.  

Your second statement is correct with the exception of if the traffic is contained within a single vlan, and the traffic still flows through the 4500 because of the way the trunks are set up you will still see the traffic.  
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now