Capturing Network Traffic


Your IPS sensors can process only traffic that they receive on one of their interfaces. in-line processing mode uses pairs of sensor interfaces (or pairs of logical interfaces on a single physical interface), although promiscuous mode requires only a single sensor interface. The following methods of traffic capture are examined in detail in the next sections:

  • Capturing traffic for in-line mode

  • Capturing traffic for promiscuous mode

Capturing Traffic for In-line Mode

Running a sensor in in-line mode requires that you use a pair of sensor interfaces to bridge the traffic between two separate VLANs (or multiple VLANs when using a trunk). You can also use the sensor to pass traffic between the same VLAN. In this configuration, only traffic passing through the sensor is inspected. A common situation where this configuration is deployed is when you place the IPS sensor between the router and the systems on a specified VLAN. To reach external systems, the internal systems send their traffic through the router. Therefore, external traffic to and from the internal systems must pass through the sensor and be inspected. In this configuration, however, traffic between two internal systems is not inspected by the sensor (because the traffic does not pass through the sensor).

A basic in-line configuration is shown in Figure 8-1. The interface from each router is connected to a different sensor interface. The only way for traffic to pass from one router to the other is if the IPS sensor allows the traffic to pass by taking the traffic it receives on one of its interfaces and bridging it to the other interface.

Figure 8-1. Basic In-line Configuration


Bridge

When you bridge traffic, it means that Ethernet traffic (link layer) passes between two interfaces that are each on a specific virtual local-area network (VLAN). Usually, the VLANs are the same, but when establishing an artificial VLAN boundary, the VLANs can be different.


Some typical locations for deploying in-line IPS include the following:

  • Between two routers

  • Between a firewall and a router

  • Between a switch and a router

  • Between a switch and a firewall

  • Between two switches

You can easily deploy in-line IPS between any two physical interfaces. However, the configuration becomes more difficult with devices such as switches in which the router is integrated into the switch's backplane via virtual interfaces (it does not have physical interfaces). The same situation arises with line cards such as the Cisco IDSM-2, which are also directly connected to the switch's backplane and do not have physical interfaces.

When you deal with devices that are connected to your switch via virtual ports (such as the Multi Switch Feature Card [MSFC] and IDSM-2), you must artificially create a VLAN boundary at which you can deploy your in-line IPS sensor.

Assume that you want to place in-line IPS between the user systems on VLAN 1020 and the Internet (see Figure 8-2).

Figure 8-2. Simple Network Configuration


Initially, traffic goes from systems on VLAN 1020 directly to the VLAN 1020 interface on the switch, which allows the MSFC to route the traffic to the Internet. You cannot connect the sensor's interface directly to the MSFC because it has only virtual ports; although if you place the MSFC on another VLAN (for example, VLAN 1030) and use the sensor to bridge traffic from VLAN 1020 to VLAN 1030, you can create an artificial VLAN boundary (see Figure 8-3).

Figure 8-3. Artificial VLAN Boundary Configuration


After you create the artificial VLAN boundary, the systems on VLAN 1020 can no longer communicate with the MSFC (because the VLAN 1020 interface on the MSFC is shut down). Now, the systems must rely on the sensor to bridge the traffic (destined to the Internet) to VLAN 1030. After the traffic reaches VLAN 1030, the MSFC can route the traffic to the Internet (refer to Figure 8-3). The same situation also applies to traffic coming from the Internet to systems on VLAN 1020.

Capturing Traffic for Promiscuous Mode

At the network level, your Cisco IPS sensors are the eyes of your IPS. However, to detect intrusive activity, sensors running in promiscuous mode must be able to view the traffic that traverses your network. Via its monitoring interfaces, each of your sensors that operate in promiscuous mode examines only the network traffic that it sees. Unless the monitoring interface is plugged into a hub, your IPS sensor observes only broadcast traffic by default. Therefore, you usually must configure your infrastructure devices to pass specified network traffic to your sensor's monitoring interface. Typical traffic capture devices that you use to pass traffic to your IPS sensors include the following:

  • Hubs

  • Network taps

  • Switches

Note

Promiscuous interfaces on your IPS sensors do not usually have an IP address associated with them. Therefore, these interfaces are essentially invisible on the network (especially from a Layer 3 or IP perspective).


Besides identifying the infrastructure devices that you can use to pass network traffic to your sensors, this section also examines the following three mechanisms that you can use to configure Cisco switches to mirror traffic to your sensor's promiscuous interface:

  • Switch Port Analyzer (SPAN)

  • Remote Switch Port Analyzer (RSPAN)

  • VLAN Access Control List (VACL)

Mirror Traffic

To mirror traffic means to take a copy of the network traffic going to a device, switch port, or VLAN and send a copy of that network traffic to another port or VLAN. Copying the traffic does not do anything to the original traffic. The mirrored traffic provides a stream of traffic that can be analyzed by your security systems.


Traffic Capture Devices

To detect intrusive activity, your sensors that run in promiscuous mode must be able to view the traffic that traverses your network. Your sensor's monitoring interface is directly connected to an infrastructure device that mirrors specified network traffic to your sensor for analysis. You can use the following three link-layer network devices to pass traffic to your sensors:

  • Hubs

  • Network taps

  • Switches

A hub is a simple link-layer device. Whenever a device connected to the hub generates network packets, the hub passes that traffic to all the other ports on the hub. Figure 8-4 shows how when Host A sends traffic to Host C, all the other devices connected to the hub also receive a copy of the traffic. The other devices connected to the hub simply ignore the traffic that does not match their Ethernet MAC address.

Figure 8-4. Hub Traffic Flow


Ethernet MAC Address

Just as you can send traffic to a host based on its IP address at the IP layer (network layer), each host also has an address at the link layer known as the Ethernet MAC address. This address is a 12-byte value that indicates the link-layer address that other devices on the same network segment use to send traffic to it. Your network card has a default Ethernet address that the manufacturer assigns, although most systems allow you to change its value.


If the network segment that you want to monitor with your Cisco IPS sensor uses a hub, your sensor can connect one of its monitoring interfaces into a port on the hub to access the network traffic. Unlike other devices that ignore the traffic that does not match their Ethernet MAC address, your sensor puts its interface in promiscuous mode so that it accepts all packets that its network interface card receives.

Sometimes, you need to monitor a network segment between two infrastructure devices that are connected without an intervening switch or hub. In this situation, you can use a network tap to capture the traffic traversing the segment (as well as in-line mode). A network tap is a device that enables you to split a full-duplex connection into two separate traffic flows (each flow representing the traffic originating from one of the two devices). The separate traffic flows can then be redirected to an aggregation switch and eventually to your sensor. Some network taps even eliminate the aggregation switch completely, enabling you to connect the network tap directly to your sensor.

Aggregation Switch

You use an aggregation switch to combine the multiple traffic flows and pass the traffic to your sensor. When aggregating flows through the switch, however, you must be careful not to exceed the capacity of your sensor. For example, if your sensor is an IPS 4215 appliance sensor, aggregating two 100-Mbps traffic flows can exceed the sensor's capabilities because it is not rated at 200 Mbps (the maximum capacity of the combined two flows).


Figure 8-5 shows a situation in which you want to monitor the network traffic traversing between a Cisco router and a PIX firewall. Initially, these devices are connected to each other directly. To enable you to monitor this traffic, you can install a network tap between these devices (or use inline mode). The network tap then continues to pass the traffic between the router and the firewall, but also sends a copy of this traffic (via the two specific flows) to your aggregation switch.

Figure 8-5. Network Tap Traffic Flow


Probably the most common link-layer device on your network is a switch. Unlike a hub, a switch is more selective as to which ports it passes network traffic. The switch maintains a content-addressable memory (CAM) table that maintains a mapping between Ethernet MAC addresses and the port on which that traffic was observed. When the switch receives traffic for an Ethernet MAC address that is not in its CAM table, it floods the packet out all the ports (on the same VLAN). similar to a hub. But after the destination host replies, the CAM table is updated. Now when Host A sends traffic to Host C (see Figure 8-6), the traffic is sent only to Host C (instead of every device connected to the switch). In this scenario, your IPS sensor cannot monitor your network for intrusive activity because the monitoring interface on your sensor does not receive all the traffic traversing your network.

Figure 8-6. Switch Traffic Flow


To overcome this problem, you need to configure your switch to mirror specific network traffic to your IPS sensor using a switch capture mechanism. The next section explains the common switch capture mechanisms available on most Cisco switches.

Cisco Switch Capture Mechanisms

With Cisco switches, you can use the following three features to enable your switch to mirror traffic to your IPS sensor's monitoring interface:

  • SPAN

  • RSPAN

  • VACL

Note

Not all the switch traffic capture features are available on every Cisco switch platform, although all Cisco switches support some form of the SPAN feature. Also, you can use the mls ip ids command when you have enabled certain Cisco IOS firewall features to mirror traffic instead of using VACLs.


The SPAN feature enables you to select traffic for analysis by a network analyzer. People refer to SPAN ports by various names, such as port mirroring or port monitoring. Regardless of the name used, the SPAN feature enables you to cause your Cisco switch to pass selected traffic to your IPS sensor's monitoring interface for analysis.

Network Analyzer

A network analyzer is a device that examines network traffic and provides you with statistics or information about your network traffic. Many network analyzers identify the different types of traffic and their frequency on your network. Using these statistics, you can tune your network to optimize its performance. Your IPS sensor also analyzes the traffic on your network when it watches for intrusive activity.


Sometimes, you want to capture traffic from ports that are located on multiple switches. To accomplish this, you can use the RSPAN feature that is available on certain Cisco switches.

RSPAN allows you to monitor source ports spread all over your switched network. This functionality works similar to normal SPAN functionality, except that instead of traffic being mirrored to a specific destination port, the monitored traffic is flooded to a special RSPAN VLAN (see Figure 8-7). The destination port(s) can then be located on any switch that has access to this RSPAN VLAN.

Figure 8-7. Remote SPAN Traffic Flow


If you configure RSPAN to monitor traffic sent by Host A (see Figure 8-7), whenever Host A generates a packet to Host B, a copy of the packet is passed by an application-specific integrated circuit (ASIC) of the Catalyst 6000 Policy Feature Card (PFC) into the predefined RSPAN VLAN. From there, the packet is flooded to all the ports belonging to the RSPAN VLAN. All the Inter-Switch Links shown in Figure 8-7 are trunks. RSPAN uses these trunks to support the traversal of the RSPAN VLAN traffic. The only access points to the RSPAN-captured traffic are the defined destination ports (where you would locate your IPS sensors).

Note

The RSPAN feature is not available on all Cisco switches. Usually, RSPAN is available only on the higher end switches, such as the Catalyst 4000 and 6500. You also need to have a fairly new OS version. Refer to the online Cisco documentation to determine if your switch supports this feature.


VACL access controls all packets on your Catalyst 6500 switch through the PFC. VACLs are strictly for security packet filtering and redirecting traffic to specific physical switch ports based on the traffic's source or destination VLAN. Unlike IOS ACLs, VACLs are not defined by the direction of the traffic (inbound or outbound).

VACLs are mainly provided to filter traffic on the switch. The capture keyword enables you to use a VACL to mirror matched traffic to a designated capture port. This capture option specifies that packets that match the specified flows are switched normally and captured and transmitted to the configured capture port. Only permitted traffic is sent to the capture port. When you use VACLs, it enables you to use a fine degree of granularity when specifying which traffic you want to capture (based on VLAN, IP addresses, and ports). You can use VACLs to capture traffic for both IPS modules (blade-based sensors) and appliance sensors.

Flows

A flow comprises a traffic stream between a source and destination IP address; a source port and destination port; or a combination of source IP address and source port in conjunction with a destination IP address and destination port. Your VACLs essentially define the flows that represent the traffic on which you want your sensor to perform intrusion detection analysis. Furthermore, your MSFC uses flows to effectively send packets between different VLANs by crossing the switch's backplane only once.





Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net