Monitoring is accomplished with
network sensors. Sensors have two interfaces: one monitoring interface, and one
command and control interface. The monitoring interface is used to capture all
network traffic from the network to which it’s connected. Sensors capture all
packets on the network and, if configured to do so, will reassemble fragmented
packets in order to defend against a common IDS defeating technique.
The command and control interface is used to configure the sensor,
communicate with the director platform, and perform device management. When an
intrusion signature is matched, the sensor is responsible for logging the event,
and notifying the director through the command and control interface. Device management is the term used to describe the sensor’s
capability to reconfigure Cisco routers, firewalls, and switches to stop an
intrusion. Device management is discussed in more detail in the section “IP
Blocking.”
Cisco currently has four different network sensors. Three of the
sensors are all members of the 4200 series; the fourth sensor is an integrated
switch module for the Catalyst 6500 series switch. Each of these four sensors
has been engineered and tuned for optimum performance.
Cisco 4200 Series Sensors
The 4200 series network sensors are stand-alone components
running their own operating system (OS) and are referred to as appliances. To protect the sensors, the host OS on the 4200
series sensors should be secured and patched, and any unneeded services should
be removed. The three network sensor appliances belonging to the 4200 series are
the following:
-
4210
-
4235 (replaces the 4230)
-
4250
The model 4210 is the entry-level network sensor capable of
monitoring up to 45Mbps of network traffic. The back panel of the 2410 is
illustrated in Figure 24-1. The 4210 has a console port located on
the front panel, much like the 2600 and 3600 series routers, but some Cisco
documentation shows the com port on the rear panel labeled as the console port.
For an Ethernet network configuration:
Some of the features of the 4210 include the following:
The model 4235 is a replacement for model 4230 and represents the
mid-level network sensor. The 4235 is capable of monitoring up to 200Mbps of
data. The back panel of the 4230 is illustrated in Figure 24-2. For an Ethernet
network configuration:
Some of the features of the 4235 include the following:
The model 4250 is Cisco’s latest addition to the 4200 series and
represents the highest level of network performance. The 4250 is capable of
monitoring and analyzing up to 500Mbps. The back panels of the 2450 and the 2435
are identical and are illustrated in Figure 24-2. For an Ethernet network
configuration:
-
Command and Control interface: e1000g1
-
Sniffing interface (Copper, next to C&C): e1000g0 (IDS-4250-TX)
-
Sniffing interface (Fiber, PCI add on card): e1000g3 (IDS-4250-SX)
The features of the 4250 include the following:
The Cisco sensor is currently end of life (EOL) and has been
replaced by the 4235. For exam purposes, Figure 24-3 illustrates the
rear panel of the 4U chassis.
|
STUDY TIP |
You should be familiar with the network interfaces
(monitoring, and command and control), as well as the console port locations for
each model of the 4200 series network sensors’ appliances. |
Table 24-1 compares the features for each member of
the 4200 series network sensors.
Table 24-1: Comparison of 4200 Series Network
Sensors
| |
Cisco IDS Sensor 4210 |
Cisco IDS Sensor 4235 |
Cisco IDS Sensor 4250 |
|
Performance |
45Mbps |
200Mbps |
500Mbps |
|
Network Interface |
10/100 Base-T |
10/100/1000Base-TX |
10/100/100Base-TX
1000Base-SX
(Fiber) |
|
Performance
Upgradeable |
No |
No |
Yes |
Catalyst 6000 Intrusion Detection System Module
(IDSM)
The Cisco IDSM was designed to allow the inclusion of IDS
into enterprise networks by integrating IDS functionality directly into the
switching fabric. The IDSM is a passive monitoring module that inspects copies
of packets and isn’t in the switch-forwarding path. Because the module isn’t in
the switch-forwarding path, the IDS module doesn’t impact switch performance.
The IDSM is a blade module that can be inserted into any available slot on any
6000 series Catalyst switch, as shown in Figure 24-4.
The IDSM monitors and analyzes traffic, just as the 4200 series
network appliances. If an intrusion is detected, an alarm is generated and sent
to the director platform. The IDS module captures packets directly off the
catalyst’s backplane. Two methods can be used to direct copies of packets from
the backplane to the IDS module, and the two methods are the following:
Spanning is a feature that allows the switch
administrator to configure a port as a SPAN port. The term “SPAN” isn’t
associated with the common Spanning Tree protocol. The switch can be configured
to copy all packets from a particular port/VLAN or to a particular port/VLAN to
the SPAN port.
VLAN ACLs allow the IDSM to monitor traffic based on more granular
criteria, such as specific IP addresses or network services. The monitoring is
passive and only inspects copies of the packets, not the original packets,
allowing real-time monitoring without affecting switch performance. The features
of the IDSM include the following:
The IDSM also can use the same director platform as the 4200
series network sensors. One director or management platform can be used to
monitor and configure both 4200 series network appliances, and one or more
IDSMs.
Sections
Comments (0 posted)
Syndication
