First off, I have to make a few assumptions in order to answer your question.
Assumption #1 – Your client wants to monitor traffic on both sides of a PIX firewall using the same IDS sensor with an IDS-4FE-INT card installed.
Assumption #2 – You need to know the best method to feed the data from either side of the firewall to individual interfaces on the sensor.
Assumption #3 – You are considering two options for copying off the traffic on each side, the solutions being either a hub or a switch.
Using an IDS-4215 with an IDS-4FE-INT, you’ll have no problem feeding two sides off the firewall to the sensor. You mention not wanting to collect duplicate packets, but if you’re monitoring both sides of a firewall, this is a counterproductive position to take, IMHO.
Normally, when you monitor both sides of a firewall, no matter what type, the intent is to use Network IDS to detect attacks or network misuse on one side and confirm that the firewall prevented the problem on the other side. If the “same packets” are received by both sensors, (or in your case, two monitoring NICs on the same sensor), it means the firewall let the traffic pass. If the IDS monitoring the line detects traffic that is in some way undesirable, it is a good thing. Furthermore, Cisco IDS will tag the alarm to indicate which monitoring NIC actually collected the traffic that caused the alarm, so you will have what can be considered two unique alarms for anything undesirably (at least as far as Cisco IDS Signatures are concerned) that successfully transverses the firewall. Furthermore, based on the NIC info, you’ll be able to determine the direction of travel that the packets in question were following.
Now, in order to pass two sides of the same firewall to an IDS, you have to copy the packets off in a passive manner. Using a hub is not a great solution because a full-duplex link may be forced to half-duplex when the hub is introduced. Using a switch configured with a SPAN port to copy off the firewall-connected interface is a great option, but it’s an expensive one. IIRC, you can configure SPAN for the Catalyst 2900XL, 3500XL, 2950, 3550, 4000, 4500, and 6500 Series Switches.
Have you considered using a port-aggregating network TAP instead? I ask because a network TAP is usually a lot cheaper than even the cheapest Cisco Catalyst switch that supports SPAN. It’s also much easier to implement and does not introduce a potential failure point for your link, which can happen with either a hub or a switch.
So, in a nutshell, here’s the solution. Use something to “tap” the line on either side of the firewall and connect it to two different monitoring interfaces on the IDS-4215. Using the monitoring solution of your choice, view the resulting IDS alarms and note the direction of travel and where the alarms are originating based on the monitoring interface info included with the IDS alarms.
I’ve uploaded a logical network diagram to help illustrate my point.
I hope this helps,
Alex Arndt
