Your IPS sensors can process only traffic that they receive on one of their interfaces. in-line processing mode uses pairs of sensor interfaces (or pairs of logical interfaces on a single physical interface), although promiscuous mode requires only a single sensor interface. The following methods of traffic capture are examined in detail in the next sections:
Capturing Traffic for In-line ModeRunning a sensor in in-line mode requires that you use a pair of sensor interfaces to bridge the traffic between two separate VLANs (or multiple VLANs when using a trunk). You can also use the sensor to pass traffic between the same VLAN. In this configuration, only traffic passing through the sensor is inspected. A common situation where this configuration is deployed is when you place the IPS sensor between the router and the systems on a specified VLAN. To reach external systems, the internal systems send their traffic through the router. Therefore, external traffic to and from the internal systems must pass through the sensor and be inspected. In this configuration, however, traffic between two internal systems is not inspected by the sensor (because the traffic does not pass through the sensor). A basic in-line configuration is shown in Figure 8-1. The interface from each router is connected to a different sensor interface. The only way for traffic to pass from one router to the other is if the IPS sensor allows the traffic to pass by taking the traffic it receives on one of its interfaces and bridging it to the other interface. Figure 8-1. Basic In-line Configuration
Some typical locations for deploying in-line IPS include the following:
You can easily deploy in-line IPS between any two physical interfaces. However, the configuration becomes more difficult with devices such as switches in which the router is integrated into the switch's backplane via virtual interfaces (it does not have physical interfaces). The same situation arises with line cards such as the Cisco IDSM-2, which are also directly connected to the switch's backplane and do not have physical interfaces. When you deal with devices that are connected to your switch via virtual ports (such as the Multi Switch Feature Card [MSFC] and IDSM-2), you must artificially create a VLAN boundary at which you can deploy your in-line IPS sensor. Assume that you want to place in-line IPS between the user systems on VLAN 1020 and the Internet (see Figure 8-2). Figure 8-2. Simple Network ConfigurationInitially, traffic goes from systems on VLAN 1020 directly to the VLAN 1020 interface on the switch, which allows the MSFC to route the traffic to the Internet. You cannot connect the sensor's interface directly to the MSFC because it has only virtual ports; although if you place the MSFC on another VLAN (for example, VLAN 1030) and use the sensor to bridge traffic from VLAN 1020 to VLAN 1030, you can create an artificial VLAN boundary (see Figure 8-3). Figure 8-3. Artificial VLAN Boundary ConfigurationAfter you create the artificial VLAN boundary, the systems on VLAN 1020 can no longer communicate with the MSFC (because the VLAN 1020 interface on the MSFC is shut down). Now, the systems must rely on the sensor to bridge the traffic (destined to the Internet) to VLAN 1030. After the traffic reaches VLAN 1030, the MSFC can route the traffic to the Internet (refer to Figure 8-3). The same situation also applies to traffic coming from the Internet to systems on VLAN 1020. Capturing Traffic for Promiscuous ModeAt the network level, your Cisco IPS sensors are the eyes of your IPS. However, to detect intrusive activity, sensors running in promiscuous mode must be able to view the traffic that traverses your network. Via its monitoring interfaces, each of your sensors that operate in promiscuous mode examines only the network traffic that it sees. Unless the monitoring interface is plugged into a hub, your IPS sensor observes only broadcast traffic by default. Therefore, you usually must configure your infrastructure devices to pass specified network traffic to your sensor's monitoring interface. Typical traffic capture devices that you use to pass traffic to your IPS sensors include the following:
Note Promiscuous interfaces on your IPS sensors do not usually have an IP address associated with them. Therefore, these interfaces are essentially invisible on the network (especially from a Layer 3 or IP perspective). Besides identifying the infrastructure devices that you can use to pass network traffic to your sensors, this section also examines the following three mechanisms that you can use to configure Cisco switches to mirror traffic to your sensor's promiscuous interface:
Traffic Capture DevicesTo detect intrusive activity, your sensors that run in promiscuous mode must be able to view the traffic that traverses your network. Your sensor's monitoring interface is directly connected to an infrastructure device that mirrors specified network traffic to your sensor for analysis. You can use the following three link-layer network devices to pass traffic to your sensors:
A hub is a simple link-layer device. Whenever a device connected to the hub generates network packets, the hub passes that traffic to all the other ports on the hub. Figure 8-4 shows how when Host A sends traffic to Host C, all the other devices connected to the hub also receive a copy of the traffic. The other devices connected to the hub simply ignore the traffic that does not match their Ethernet MAC address. Figure 8-4. Hub Traffic Flow
If the network segment that you want to monitor with your Cisco IPS sensor uses a hub, your sensor can connect one of its monitoring interfaces into a port on the hub to access the network traffic. Unlike other devices that ignore the traffic that does not match their Ethernet MAC address, your sensor puts its interface in promiscuous mode so that it accepts all packets that its network interface card receives. Sometimes, you need to monitor a network segment between two infrastructure devices that are connected without an intervening switch or hub. In this situation, you can use a network tap to capture the traffic traversing the segment (as well as in-line mode). A network tap is a device that enables you to split a full-duplex connection into two separate traffic flows (each flow representing the traffic originating from one of the two devices). The separate traffic flows can then be redirected to an aggregation switch and eventually to your sensor. Some network taps even eliminate the aggregation switch completely, enabling you to connect the network tap directly to your sensor.
Figure 8-5 shows a situation in which you want to monitor the network traffic traversing between a Cisco router and a PIX firewall. Initially, these devices are connected to each other directly. To enable you to monitor this traffic, you can install a network tap between these devices (or use inline mode). The network tap then continues to pass the traffic between the router and the firewall, but also sends a copy of this traffic (via the two specific flows) to your aggregation switch. Figure 8-5. Network Tap Traffic FlowProbably the most common link-layer device on your network is a switch. Unlike a hub, a switch is more selective as to which ports it passes network traffic. The switch maintains a content-addressable memory (CAM) table that maintains a mapping between Ethernet MAC addresses and the port on which that traffic was observed. When the switch receives traffic for an Ethernet MAC address that is not in its CAM table, it floods the packet out all the ports (on the same VLAN). similar to a hub. But after the destination host replies, the CAM table is updated. Now when Host A sends traffic to Host C (see Figure 8-6), the traffic is sent only to Host C (instead of every device connected to the switch). In this scenario, your IPS sensor cannot monitor your network for intrusive activity because the monitoring interface on your sensor does not receive all the traffic traversing your network. Figure 8-6. Switch Traffic FlowTo overcome this problem, you need to configure your switch to mirror specific network traffic to your IPS sensor using a switch capture mechanism. The next section explains the common switch capture mechanisms available on most Cisco switches. Cisco Switch Capture MechanismsWith Cisco switches, you can use the following three features to enable your switch to mirror traffic to your IPS sensor's monitoring interface:
Note Not all the switch traffic capture features are available on every Cisco switch platform, although all Cisco switches support some form of the SPAN feature. Also, you can use the mls ip ids command when you have enabled certain Cisco IOS firewall features to mirror traffic instead of using VACLs. The SPAN feature enables you to select traffic for analysis by a network analyzer. People refer to SPAN ports by various names, such as port mirroring or port monitoring. Regardless of the name used, the SPAN feature enables you to cause your Cisco switch to pass selected traffic to your IPS sensor's monitoring interface for analysis.
Sometimes, you want to capture traffic from ports that are located on multiple switches. To accomplish this, you can use the RSPAN feature that is available on certain Cisco switches. RSPAN allows you to monitor source ports spread all over your switched network. This functionality works similar to normal SPAN functionality, except that instead of traffic being mirrored to a specific destination port, the monitored traffic is flooded to a special RSPAN VLAN (see Figure 8-7). The destination port(s) can then be located on any switch that has access to this RSPAN VLAN. Figure 8-7. Remote SPAN Traffic FlowIf you configure RSPAN to monitor traffic sent by Host A (see Figure 8-7), whenever Host A generates a packet to Host B, a copy of the packet is passed by an application-specific integrated circuit (ASIC) of the Catalyst 6000 Policy Feature Card (PFC) into the predefined RSPAN VLAN. From there, the packet is flooded to all the ports belonging to the RSPAN VLAN. All the Inter-Switch Links shown in Figure 8-7 are trunks. RSPAN uses these trunks to support the traversal of the RSPAN VLAN traffic. The only access points to the RSPAN-captured traffic are the defined destination ports (where you would locate your IPS sensors). Note The RSPAN feature is not available on all Cisco switches. Usually, RSPAN is available only on the higher end switches, such as the Catalyst 4000 and 6500. You also need to have a fairly new OS version. Refer to the online Cisco documentation to determine if your switch supports this feature. VACL access controls all packets on your Catalyst 6500 switch through the PFC. VACLs are strictly for security packet filtering and redirecting traffic to specific physical switch ports based on the traffic's source or destination VLAN. Unlike IOS ACLs, VACLs are not defined by the direction of the traffic (inbound or outbound). VACLs are mainly provided to filter traffic on the switch. The capture keyword enables you to use a VACL to mirror matched traffic to a designated capture port. This capture option specifies that packets that match the specified flows are switched normally and captured and transmitted to the configured capture port. Only permitted traffic is sent to the capture port. When you use VACLs, it enables you to use a fine degree of granularity when specifying which traffic you want to capture (based on VLAN, IP addresses, and ports). You can use VACLs to capture traffic for both IPS modules (blade-based sensors) and appliance sensors.
|