idsm-2 with SPAN and VACL

NAVIN PARWAL · ‎08-30-2005

Folks,

I have an IDSM-2 blade in my 6500 running CatOS, i want to monitor all the Vlans in passive mode for right now. Is it better for me to use the SPAN feature or should i use VACL feature?

Also cisco doc says that in Inline mode IDSM supports "Inline Pairs" where as passive mode it supports unlimited number of Vlans. My question is what is meant by the phrase "Inline pair"???

How many vlans are supported in Inline mode?

marcabal · ‎08-30-2005

My general recommendation is to use VACL Capture instead of Span in the majority of promiscuous deployments.

VACL Capture gives you a little better control of what packets you want monitored. You can permit and capture traffic that regularly goes to the internet (like web, and mail), while being able permit but not capture traffic that stays in the network and is rarely used in attacks (like network backups).

The IDSM-2 has an uppper performance of about 600Mbps. So being able to permit but not analyze some of the internal traffic will allow you to analyze more of the traffic of interest (traffic on ports known to be used in attacks across the internet).

There are, however, a few scenarios where Span does work better than VACL Capture. Like when you only plan on monitoring the traffic going through the firewall. In this situations it is easier to just span the port connected to the firewall, then to try and set up a complex VACL to only capture between the internal network and internet without capturing traffic staying on the internal network.

As for "inline pairs". When operating in "inline" mode, the IDSM-2 passes traffic back and forth between 2 vlans. It is kind of like bridging the 2 vlans. So with an "inline pair" it can only monitor the traffic passing back and forth between these 2 vlans.

Most people associate a IP subnet with a vlan, and the only way a machine on vlan can talk to another is through a router (generally the MSFC of the switch, or routing by the switch itself in the case of Native IOS),

But this is not the case with "inline" IDSM-2. Instead it is a Single IP Subnet spread across 2 vlans. The IDSM-2 does not do IP Routing between the vlans, instead it passes packets more like a layer 2 bridge.

If you want to do "inline" monitoring on an existing vlan, the easiest thing to do is to create a brand new vlan to pair with the existing vlan. Part of the machines in the existing vlan are then moved to the new vlan, and the IDSM-2 is used to "pair" the 2 vlans.

One example would be vlan 100 with 1 port connected to the firewall, and multiple ports connected to internal personal machines and even internal routers.

The firewall and all the internal machines are all on the same IP Subnet.

An easy thing to do is to create a new vlan 101.

Move the firewall port to vlan 101.

Then use the IDSM-2 to pair vlan 100 and vlan 101.

Traffic going to the internet would come in one of the internal ports on vlan 100. Then get bridged (and analyzed) by the IDSM-2 to vlan 101. The packet then goes to the firewall and out to the Internet. The opposite happens for packets coming in from the Internet.

So you can see that all packets going to/coming from the internet have to pass through the IDSM-2 for analysis.

The big advantage of an "inline" deployment is that if the IDSM-2 detects an attack it can drop the packet and prevent it from ever reaching the destination.

A promiscuous deployment can not do this because the IDSM-2 is only seeing a copy of the packet (from Span or VACL Capture).

The disadvantage as you've seen is that you can only monitor a single "pair" of vlans in "inline" mode. But because you have to create the pair by creating a new vlan; it really equates to only being able to monitor on One existing vlan.

NOTE: This is subject to change in future versions of the IDSM-2 as users are requesting the ability to create multiple "inline vlan pairs".

NAVIN PARWAL · ‎08-31-2005

Thanks for the awesone response!!!

I have a question, I have about 10 Vlans in my network and want to monitor them and also have some kind of control over them. Can i run the IPS system in my Catalyst in passive mode and use it to update access-lists on my MSFC to block (lets say workstations trying to lauch attacks). I really need to montior and have control on more than 1 Vlan.

Thanks

marcabal · ‎08-31-2005

Yes you can monitor all 10 (assuming the amount of traffic is less than the 600Mbps that the IDSM-2 is capable of monitoring, or VACL Capture is used to minimize the monitored traffic down to 600Mbps).

The sensor has a blocking feature (also known as shunning) where it can connect to a router or switch and create ACLs to block traffic.

Understand that this won't prevent the initial attack, but will prevent additional packets from that attacker source address.

You configure the sensor's network access controller to manage either the switch or MSFC for the blocking.

You tell the sensor which vlans to place the ACLs on.

If you manage the switch running cat OS, then tell it the vlan ids to create Vlan ACLs for.

If you manage the MSFC (or a switch running Native IOS) instead you would tell it the vlan interfaces and direction (in or out) on which to apply the Router ACL.

When managing the switch you just use the vlan numbers (100,101,200, etc..), but when using the MSFC or Native IOS then you need to use the interface name for the vlan (vlan100, vlan101, vlan200, etc...).

If I remember correctly you can control up to about 100 vlans or vlan interfaces on one device.

NAVIN PARWAL · ‎08-31-2005

This is one of the most Awesome answers I have read in a long time.

Have you implemented it in the real world. We are running CATOS. We are a university and the students in the dorms have virus infected PC's. Has this solution been implemented somewhere (VACL)???

So, if i understand your previous post correctly, The IPS blade (IDSM-2 running 5.x) will be running in Passive mode and will send VACL commands to the Catalyst swicth it is in, if it detetced a persistent signature which was configured for host block?

Thanks