IDS placement in a switched multi-VLAN environment

neil.barrett · ‎03-08-2002

I have a newbie question regarding placement of a 4210 in a switched environment, so please bear with me!

We have implemented web hosting within a ISP, and use a PIX 525 with 4 DMZ's to segment and filter traffic between DC's, IIS boxes and DB servers across the internal network for security purposes. All links are connected to a Cat2950-24 switch and I have VLAN'd off the switch into 6 VLANs to contain traffic. Servers are connected to their respective VLAN and this works well.

My question is placement of the IDS unit. As there is only one monitoring port on the unit my initial thought would be to put it within the VLAN where the IIS servers sit for maximum detection.

But then I realised that it may not work!

As it is in a switched environment the unit would only see traffic destined for its own port i.e. nothing. The only information regarding setting up a monitoring port for a switch is for the Catalyst 6000 range, not my lowly 2950.

Have I completely missed the point or is there a way of having the IDS sense all traffic to my IIS servers?

By the way I do not want to have to purchase any further kit to make this work as politically it is not an option.

Your thoughts are appreciated.

Regards,

Neil.

g.rodegari · ‎03-08-2002

Hi,

if I understand the point, look here:

http://www.cisco.com/warp/public/473/41.html

good luck!

GRAZ

ishah · ‎04-03-2002

Hi,

You could also try to obtain the engineering build of a driver that works with dot1q trunking.