WERAracer
asked on
Which ports to monioter with IDS?
Is it unreasonable to monitor uplink ports with snort? (via port monitoring in cisco switches)
For example, if I enabled port monitoring on the uplink that goes from our switch, to our firewall. Is it even worth monitoring this? basically, I'm trying to gauge what ports should be monitored inside a network. What about DMZ? Looking for best practices here
Thanks
For example, if I enabled port monitoring on the uplink that goes from our switch, to our firewall. Is it even worth monitoring this? basically, I'm trying to gauge what ports should be monitored inside a network. What about DMZ? Looking for best practices here
Thanks
ASKER
I have decided to do the SPAN route. How do I go about CCing the traffic via RSPAN. When you say I could kill uplink/ports, do you mean bandwidth wise? Is this possible to do on a 4507R?
I basically just need to monitor one VLAN (default vlan actually). I have done this several times on 2950, 2900xls etc via the port monitor command. How do I do this in a 4507R
Thanks for the response Rich.
I basically just need to monitor one VLAN (default vlan actually). I have done this several times on 2950, 2900xls etc via the port monitor command. How do I do this in a 4507R
Thanks for the response Rich.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you!
Question. We have vlans that obviously span several switches. If I just wanted to monitor VLAN 1 on our core switch, would this work:
monitor session 1 source vlan 1
monitor session 1 destination interface gig3/1
That would send ALL traffic in the default vlan to 3/1 (where my snort box is)?
Thanks
Question. We have vlans that obviously span several switches. If I just wanted to monitor VLAN 1 on our core switch, would this work:
monitor session 1 source vlan 1
monitor session 1 destination interface gig3/1
That would send ALL traffic in the default vlan to 3/1 (where my snort box is)?
Thanks
Yes I believe that will work, however I don't know the 4500 series that well, I've not seen those commands myself. Yes all traffic that your switch see's will be sent to that port. If the traffic exceeds 1gb, the traffic is dropped, sometimes queued and sent on, but if you rspan another switch the same way and that traffic exceeds your uplinks you'll have a lot of issues, and with that comes the re-transmission storm compounding the problem. I'm not sure of the RSPAN for that model, but it's probably in the cli help or tab completion.
-rich
-rich
To clarify, all traffic on vlan 1 that your core switch sees will be sent to the monitor port. If the BW of the monitor port is exceeded it will likely drop frames, won't cause problems but potentially makes the IDS miss packets. I personally like to have segregated sensors and span sessions. The switch doesn't work as hard, I can tell what section of the network traffic came/went, and I can split the load up onto another CPU on our Snort device as well for faster and more reliable processing.
-rich
-rich
ASKER
thanks
The best place single place to monitor is a trunk/uplink between switches or other gear. You can set your span session to include all traffic on all vlan's, or you can weed out vlan's or port's. We have enough gear and bandwidth being used we have to "tap" switch traffic with Gigamon devices: http://www.gigamon.com/
If your not that big, you can make a few taps from multiple nic's, run one to each switch, or cisco's span sessions can be "cc'd" to central switches via RSPAN: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic4-2 Note depending on your through put, you could kill your uplink ports/trunks...
Again the span port can list multiple ports or vlan's, and depending on your switch you can have more than one span session on that switch.
-rich