I've seen several replies saying essentially the same thing: "This is a feature of the switch - not the IDS."
However, this is only partially true. It is certainly a function of the switch to be able to copy traffic to a destination port using something like SPAN, VACL Capture, or other similar features. Many switches support sending this captured traffic to an 802.1q or ISL trunk port. All currently shipping Cisco switches, to the best of my knowledge, support this. Most IDS products should be able to at least analyze traffic that arrives via trunk ports. All Cisco IDS/IPS products have supported this for as long as I can remember. Additionally, Cisco IDS/IPS sensors are able to track the VLAN traffic arrives on through the trunk port, rather than simply grouping the traffic all together. The event action can be dependent on which VLAN the malicious traffic was seen on. In the alert that is triggered, the VLAN from the trunk port is displayed. I don't know what vendors support this capability, but it is certainly supported by Cisco sensors. If we talk about IPS instead of IDS, the feature remains for us. You can plug an interface on a Cisco IPS sensor into a trunk port, and the sensor can treat each VLAN on the trunk separately. Gary Halleen, CISSP, ISSAP Cisco Systems, Inc. On 2/8/07 3:00 PM, "Eric Hines" <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Trav_2: > > You're talking about two separate things. > > 1) Cisco is a switch and you're talking about a mirror/span port. > Though, network taps > Span ports :) > > 2) Its not the IDS/IPS that is performing that capability, its the > switch. So its inaccurate to ask if the IDS/IPS vendors you mentioned > can do the same thing. A span port doesn't care whats hooked up to it, > whether its Snort or a sniffer. > > Hope this helps. > > > Best Regards, > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 221 > Crystal Lake, IL 60014 > Toll Free: (877) 262-7593 > Fax: (847) 854-5106 > Cell: (847) 456-6785 > Web: www.appliedwatch.com > > > > Andrew Plato wrote: >> If you create a mirror port and plug in any IPS/IDS, it will see the >> traffic. TippingPoint, ISS, etc. All can do that. >> >> Also, pretty much any decent managed switch can have mirror ports. This >> is not unique to Cisco. >> >> Keep in mind, you cannot do real-time IPS (intrusion prevention) in any >> reliable manner this way. You have to be IN-LINE to do real-time >> blocking and filtering. Passive monitoring off a mirror port only allows >> you to send RSTs to stop stuff, and that is not a very reliable way to >> block bad stuff. >> >> ___________________________________ >> Andrew Plato, CISSP, CISM >> President/Principal Consultant >> Anitian Enterprise Security >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >> On Behalf Of [EMAIL PROTECTED] >> Sent: Monday, February 05, 2007 10:44 AM >> To: [email protected] >> Subject: IPS and Trunking >> >> Cisco has a great feature where I can configure all traffic on a switch >> to go to a trunk port, plug in the IPS/IDS to the trunk port and see all >> traffic. Can other vendors, such as Sourcefire, TippingPoint, ISS do >> this? >> >> Thanks, >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it with real-world attacks from >> CORE IMPACT. >> Go to >> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig >> n=intro_sfw >> to learn more. >> ------------------------------------------------------------------------ >> >> >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to >> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int >> ro_sfw >> to learn more. >> ------------------------------------------------------------------------ >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFFy6t31va6QYTV0EMRAuSkAJ4+1WTm+ugpOAK4Ghzv8ooYyFYi1gCfSC69 > cXQfDMCJ7O14l+ZnE/lpTsY= > =ego2 > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr > o_sfw > to learn more. > ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
