Switching Basics
During the last five or so years, Ethernet networks have
silently undergone a major change. Earlier, they were built using hubs, but now
almost everywhere switches are used. This change becomes very apparent when we
start to consider the effects on the traffic-capturing process and the
implementation of intrusion detection systems. Let's see what the major
difference between hubs and switches is and what problems a switched environment
presents to IDS.
The primary difference between a switch and a hub is that the hub
is considered shared media or a single collision domain. Anything that one port
on a hub sees, all ports will see, such as that in Figure 9.1.
On the other hand, a switch is a more intelligent device than the
average hub, it learns which MAC addresses are located on each of its ports and
then stores that information in a lookup table. When the switch receives an
Ethernet packet destined for a specific MAC address, the switch forwards it only
to the corresponding port, as shown in Figure 9.2.
But there are exceptions to this rule on switches. The switch will
send the frame out a single port unless it is a broadcast frame, in which case
all ports except the one the frame arrived on will get a copy of the frame.
There is a second modification to this rule if the frame's MAC address is not in
the forwarding table of the switch. In this situation, the switch then "floods"
the frame out of all of its ports except the one the frame arrived on.
So, to review switch theory in simple terms, a switch consists of
a set of one-port hubs (each port) which breaks up the collision domain into
multiple collision domains. Since the switch is a layer-2 device, the broadcast
domain does not change until we get to the router. Neither hubs nor switches
will change the header of the frame so we will see the term "transparent
bridges," something which refers to the fact that the frame header is not
changed in transit through the hub or switch. It is this "switching" of the
frame between ports that makes our life with the IDS sensor much more difficult,
but not impossible.
The problem posed by switches is that no matter how you connect a
traffic-capturing device to a switch, it will not see any traffic, with the
exclusion of broadcast packets. There are several options available to avoid
this problem (besides using hubs instead of switches, which is usually not
practical from the point of view of bandwidth consumption).
One approach is to use network taps that tend to be passive
devices and which are inserted between a monitored network device and a switch.
A network tap copies the information from the monitored link to a separate cable
which is plugged into an IDS sensor. Taps are designed in a "fail-open" way so
that if they break or lose power, the monitored link is not affected. Taps exist
for almost any type of line or connection speed, including optical and Gigabit
Ethernet lines. We will discuss the usage of taps in more detail at the end of
this chapter.
Another way to address the capturing problems created by switches
is to use a SPAN ports feature, provided by most switches currently on the
market. SPAN stands for Switch Port Analyzer and is also sometimes called "port
mirroring," although technically port mirroring is a subset of port spanning
features. A switch can be configured to have a dedicated port to which any
packet that passes through the switch is copied. Depending on the switch model,
this process can cause an overhead in packet processing, although there are
switches where spanning ports do not affect switching capacity.
|
Note |
When using spanning ports, only packets that get inside the
switching backplane are copied to the spanning port. So, for example, frames
with incorrect CRCs are dropped when they enter the switch and are consequently
not copied to any of the SPAN ports. |
The last option, which is available only with the Cisco Catalyst
6000 IDS Module, is to monitor network traffic directly on a switch backplane.
Since IDSM has access to the switching fabric, there is no need to copy packets
between ports to redirect them to IDS, thus the only configuration task
remaining is to specify the "interesting" traffic that needs to be monitored
(see Figure 9.3). This is done using VLAN access-lists or
VACLs, which we look at in more detail next.
All three options are discussed in this chapter, although the
main means of using IDS in a switched environment is still the port spanning
feature, which will be described in more detail than the other
two.
Sections
Comments (0 posted)
Syndication
