Solved

Which ports to monioter with IDS?

Posted on 2009-07-06
7
346 Views
Last Modified: 2013-11-29
Is it unreasonable to monitor uplink ports with snort? (via port monitoring in cisco switches)

For example, if I enabled port monitoring on the uplink that goes from our switch, to our firewall. Is it even worth monitoring this?  basically, I'm trying to gauge what ports should be monitored inside a network. What about DMZ? Looking for best practices here

Thanks
0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24791624
Monitoring incoming traffic from outside the firewall will be very chatty, monitor the inside interface if your only concerned with traffic the firewall does let through. If your interested in blocking active attacks, sniff the outside, if not, don't.
The best place single place to monitor is a trunk/uplink between switches or other gear. You can set your span session to include all traffic on all vlan's, or you can weed out vlan's or port's. We have enough gear and bandwidth being used we have to "tap" switch traffic with  Gigamon devices: http://www.gigamon.com/
If your not that big, you can make a few taps from multiple nic's, run one to each switch, or cisco's span sessions can be "cc'd" to central switches via RSPAN: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic4-2 Note depending on your through put, you could kill your uplink ports/trunks...
Again the span port can list multiple ports or vlan's, and depending on your switch you can have more than one span session on that switch.
-rich
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24793653
I have decided to do the SPAN route. How do I go about CCing the traffic via RSPAN. When you say I could kill uplink/ports, do you mean bandwidth wise? Is this possible to do on a 4507R?

I basically just need to monitor one VLAN (default vlan actually).  I have done this several times on 2950, 2900xls etc via the port monitor command. How do I do this in a 4507R

Thanks for the response Rich.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 24794246
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/span.html#wp1032145
monitor session 1 source interface fastethernet 1/1
monitor session 1 filter vlan 1
monitor session 1 destination interface fastethernet 6/48
It does look like a 4000 series supports RSPAN
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#support
And yes I meant by topping out your available BW, so if you have 500mb to/from a switch and you want to send that much traffic over an rspan, a 1Gb link will be murdered ;)
-rich
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 1

Author Comment

by:WERAracer
ID: 24796984
thank you!

Question. We have vlans that obviously span several switches. If I just wanted to monitor VLAN 1 on our core switch, would this work:

monitor session 1 source vlan 1
monitor session 1 destination interface gig3/1

That would send ALL traffic in the default vlan to 3/1 (where my snort box is)?

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24799926
Yes I believe that will work, however I don't know the 4500 series that well, I've not seen those commands myself. Yes all traffic that your switch see's will be sent to that port. If the traffic exceeds 1gb, the traffic is dropped, sometimes queued and sent on, but if you rspan another switch the same way and that traffic exceeds your uplinks you'll have a lot of issues, and with that comes the re-transmission storm compounding the problem. I'm not sure of the RSPAN for that model, but it's probably in the cli help or tab completion.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24799948
To clarify, all traffic on vlan 1 that your core switch sees will be sent to the monitor port. If the BW of the monitor port is exceeded it will likely drop frames, won't cause problems but potentially makes the IDS miss packets. I personally like to have segregated sensors and span sessions. The switch doesn't work as hard, I can tell what section of the network traffic came/went, and I can split the load up onto another CPU on our Snort device as well for faster and more reliable processing.
-rich
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24800305
thanks
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sftp vs SendThisFile 9 48
Rogue RDP Connections 5 56
Is attached iPhone screen an IOC 5 28
Check Spoof email 6 26
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question