Identifying the Sensor
Technically speaking, there are two types of
sensor platforms available: the 4200 series sensors and the Catalyst 6000/6500
series IDS Module (or IDSM), both of which we cover in detail in Chapter 6. Within
the 4200 series, there are four different sensor appliances offered in the Cisco
product line. Depending on your budget, organizational needs, and the number of
external connections to the Internet, multiple sensors or a single sensor could
be the answer. It is important to be able to identify which sensor you will be
working with considering there are some subtle differences between the models.
The old Netranger sensors, 4220 and 4230, were bulky 7-inch, four-rack-unit (RU)
models. The introduction of the newer blade-style models streamlined the chassis
into a 1U format for all models, including 4210 (as shown in Figure
3.1), 4215, 4235, 4250, and 4250-XL. For the purpose of this chapter, we
will focus on the model 4230 since it is one of the most commonly available and
is still used on the Cisco IDS certification test..
Each of the sensors has two ports: a monitoring or sniffing
interface which captures the traffic to analyze, and a control port that
provides access to the sensor via Telnet, CSPM, and so on. The control port is
the only port on the sensor that will actually be assigned an IP address on the
network. Some modules have a console port that can be a DB9 connector, such as
the 4230, or an RJ45 console cable jack.
|
Note |
Cisco best practices tell you the control port should be
placed on an isolated network or out-of-band management network that routes
traffic for management purposes on another network other than the enterprise.
Cisco documentation refers to this type of network as the Command and Control Network.
|
It is critical that we can identify the monitoring or sniffing
port on the IDS. On the 4210, the device name is /dev/iprb0. The 4210 sensor has
two built-in ports directly on top of one another. The monitoring interface is
the lower port, iprb0. The control port is iprb1, which is located above the
sniffing port (refer to Figure 3.2). The 4220 and 4230 sensors have
expandable slots. One of the ports is built-in, and the other is located on the
expansion slot. That is, iprb0 can be found on the sensor, while, /dev/spwr0 is
physically located in slot 5 in order to capture packets.
The 4230 and 4220 sensors have the ability to be configured in
different manners to accommodate different networks. iprb0 is used for control
in each configuration. For a token ring network, use /dev/mtok36, which is
located in slot 6 to capture packets. For a FDDI network, /dev/ptpci, is used.
It's located in slot 4.
|
Note |
The sniffing port and control port on the 4230 can be
swapped under certain circumstances to sniff multicast traffic. We will discuss
that process later in the chapter. |
Sections
Comments (0 posted)
Syndication
