Re: IDSM2 management-port and data-port capture identical

jason.aarons · ‎03-22-2004

Did I read somewhere that the below has problems or is not recommened? Can I sniff my management-port vlan?

intrusion-detection module 6 management-port access-vlan 2

intrusion-detection module 6 data-port 1 capture allowed-vlan 2

dbobeldyk · ‎03-23-2004

From a theory perspective it isn't recommended.

Designing a good IDS system means having the management vlan be on a different vlan than the one you're monitoring. Why is that?

If you're sending alarms about possible hacks on your network to the same network that is getting hacked - it is quite possible that the hackers will then modify those alarms to cover up their tracks.

I see no reason why you wouldn't be actually able to configure this... it's just not good practice.

Hope that helps clear things up.

jason.aarons · ‎03-23-2004

I setup GFI LanGuard Security scanner and ran a scan against the IDSM-2 (show ip) itself. Should it see this traffic? The allowed vlans and vlan acl should be capturing the traffic.

The sensing engines are enabled, but show events doesn't show anything, but some "sensor lost communication" logs from when I think I updated the sensor. I'll probably call TAC tomorrow.. I have not done any tuning. This is a out-of-the-box setup.

wardwalk · ‎03-23-2004

Make sure you also have the following IOS configuration line on your switch:

intrusion-detection module 6 data-port 1 capture

That's what actually enables capture to the IDSM-2's data-port 1 for the VLANs you configured on the similar looking line.

dbobeldyk · ‎03-23-2004

You also have to enable the sniffer interface if this is an out of the box install. It's easiest to do this through the IDM, just browse to the device and enable the interface you want to sniff (7).

marcabal · ‎03-23-2004

There are 2 issues that may be causing confusion.

1) Older versions of IDS used unencrypted connections for transferring alarm data. If the IDS was monitoring these connections to itself, then the alarm data being transmitted in the unencrypted connection could sometimes cause misfires (false positives). This would result in a alarm flood. The first alarm would be legitimate. When the user connects to the sensor to see the alarm, it creates a false positive, which causes another alarm which causes another alarm which causes another alarm etc..

With the recent versions using encrypted connections this doesn't happen anymore. You may still get an occasional false positive, but it is no where near the extent it used to be.

2) The second issue is whether or not the management data should be on the main network. Once again in previous versions with unencrypted connections, users were strongly encouraged to create a second network for the management of the IDS systems (a security management dedicated vlan). So your security management vlan should be different than the main vlan you were originally wanting to monitor.

With the new versions with encrypted connections it is not as important that it be a separate network/vlan for the security management, BUT it is still the recommended practice.

Since the recommendation is to use a second vlan for the management, then you have 2 options.

Option1: Only monitor the original vlan (this is the one most often chosen).

Or option 2 which is to monitor both the original vlan to be monitored as well as the security management vlan.

So the question isn't whether or not you can sniff the management vlan, but whether or not your management vlan should be a different vlan than your main network.