CertCities.com -- The Ultimate Site for Certified IT Professionals
Visit CertCities.com Forums and Ost Your Mind Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... Columns ..Column Story Saturday: April 5, 2014


 Link State Update  
Eric Quinn
Eric Quinn


 Bad Packets!
Tips on using IDS software and hardware to sniff out unwanted traffic on your network.
by Eric Quinn , courtesy of TCPMag.com
8/2/2001 -- Intrusion detection is the process of finding bad packets on your network. A device is going to sit on your LAN and monitor all the packets that it can see. Beyond the sniffer capabilities though, An Intrusion Detection System (IDS) device will take the packets it grabs and compare them to the signatures of undesirable packets.

IDS devices can be network appliances or they can be software solutions. An example of a software-based IDS is BlackIce Defender, which serves as an IDS device for a PC. Another example would be Snort, a software-based IDS using the GNU General Public License for both Linux and Windows 2000.

An appliance would be a combination of hardware and software, like the 4200 series IDS sensors by Cisco.

Firewalls can keep out undesirable packets based on lots of criteria, but they only go so far. If you have a DMZ interface configured on a PIX, and you’re allowing HTTP traffic to come from the outside to go to the DMZ because that's where your Web server is, then you're allowing all sorts of Web traffic. Your firewall isn't going to look inside the packet and determine that just because a certain character string exists, the packet should be denied. The PIX doesn't subscribe to any of the security newsletters letting it know what the latest IIS exploits are.

An IDS is going to be able to look inside those HTTP packets and compare the contents to all of the strings for HTTP. If the next exploit says, "Hackers can take down a Web server by typing http://www.target.com/crashme!" then you can have your IDS look for HTTP packets that contain the text string of "crashme!"

Even better, the Cisco IDS sensor can be configured to talk to a Cisco router and configure an extended access list to keep out that traffic. In the case of a text string inside an HTTP packet, the router would filter out all HTTP traffic from the source to the destination.

Cisco has three IDS products, the 4210, the 4230 and the 6000 IDS blade. The 4200s are network appliances; there are no user-upgradeable parts. The 4210 can monitor up to 45mbps worth of traffic and is suited for monitoring WAN connections after they pass through the perimeter router. The 4230 can monitor 100mbps worth of traffic. Both have two interfaces, one for monitoring and one for control. Cisco used to make a token ring version called the 4220 but it was "End of Life'd" (EOL) late last year. The IDS blade for the 6000 series switch can monitor VLAN traffic within the 6000/6500 as long as the switch is equipped with a policy feature card (PFC).

A 4200 IDS sensor will be configured to monitor traffic on the monitor port, which doesn’t have an IP address. The control port has an IP address and is how the sensor communicates with the management GUI as well as any router it needs to talk to. While the GUI isn't absolutely necessary since the sensor runs on Solaris and everything can be configured through the command line, many people are much more comfortable using the GUI since they get reports. A GUI is available for Solaris, HP-UX and Windows NT. One for Windows 2000 should be released soon.

The GUI allows you to receive information regarding what's going on on your network. You can configure the sensor to do several things when it detects an unwanted packet (although if you’re using the IDS blade, you lose several abilities). One of the better functions of the GUI is report writing. It can generate several types of reports -- ranging from deeply technical to executive overview -- about the packets it has seen on the network.

The down side to the Cisco IDS product line is the amount of data it can deal with. None of Cisco's products can handle more than 100mbps. This isn't much of a problem with the 6000 switch blade because you can be very particular about the type of traffic the blade looks at; but if you have a fabric-enabled switch, you can easily flood out the blade. Other vendors have products that support much higher throughput and it’s my hope that Cisco IDS devices soon will as well. Finally, if you want to monitor a gigabit connection, you can only do so with the blade. Cisco doesn’t make gigabit ports with the 4200 series devices.

Do you have IDS tips to share? Questions about this topic? Post your comments below!


Eric Quinn, CCNP, CCDP, CCSI, is a security instructor and consultant. He is also co-author of the CCNP Remote Access Exam Cram by Coriolis Press. He writes the “Link State Update” column for TCPmag.com, and is a contributing editor for CertCities.com. Reach him at .

 


More articles by Eric Quinn:

-- advertisement --


There are 10 CertCities.com user Comments for “Bad Packets!”
Page 1 of 1
1/9/02: Anonymous says: Does the IDS Blade monitor just the switch or the entire network?
2/15/02: Dave Warde from Central New Jersey says: We had two Cisco IDS sensors at my last company (sniff, sniff...now a dot goner!). We were still in the post installation "shake-down" phase and were swamped with data, most of it false alarms. From your perspective, is signature based IDS getting any better? Thanks
2/13/12: Ankit from YVQwONflofr says: I’ve just wehatcd it three times and not during lunch lol!Actually, I’m amazed that networking vendors would release something in 2010 that looks like 1980s ‘FUD’ marketing.Access to the Internet and social networking allows potential customers to research and to share info and informed comment (your blog, for example) about videos such as this one. And without much need to contact vendors for information until they are ready to proceed.B2B Tech marketing is receiving a rude and probably unwanted wake-up call… the buyers increasingly call the shots as to solution/product research and when to engage with vendors. If I was a watching IT manager, my first reaction would be:“Do they really think I’m that naive?” To their credit, one thing the video did well was having the blade center landing page url at the end. There is a lot of good product info there.However, at 7 mins, I suspect many will bail out of the video long before then. Might be better to have the url display as a small water mark at the bottom of the video screen throughout. And also add a hyperlink in the description field just below the video (assuming that’s allowed by YT.)The only saving grace I can think of for this production is that it will please die-hard Cisco and HP-haters. Some existing IBM/Brocade customers may also lap it up.But, uncommitted prospects? Hmm I wonder… maybe IBM have stats to the contrary?
12/14/13: Bottes Ugg Classic Pas Cher from [email protected] says: "In recent weeks, I really wanted to keep the other aspects of the magazine intact - to publish a high-quality piece of fiction. it's going graphic. the real action begins Rather than a drug-induced catharsis however the emotional breakthroughs that occur with Crystal and Jamie seem prompted by their shared human connection and not a chemical one In a profoundly moving scene Crystal delivers an emotional confessional that seems like one she might have delivered even without being high As for Jamie his small nervous breakdown manifested as an apology and a bout of unexplained tears seems like the beginning of something huge As Jamie Cera seems to go deeper and darker than he has ever gone before As Crystal Hoffmann is wonderfully natural as are the Silva brothers But its Hoffmans performance in which she is often both literally and emotionally naked that lingersAnd just like that "Crystal Fairy" ends leaving the audience wondering for a second what just happened On one level the answer is: not much Part drug comedy part psychological drama the movie is slight but only superficially soAs the closing credits role were left not with a sense of a day at the beach but of what might be swimming out there in the dark of the abyss ????½Unrated At West End Cinema Contains obscenity nonerotic nudity and drug use In English and Spanish with subtitles 98 minutes the nonprofit spinoff of President Obama's reelection campaign is up with its second TV ad promoting Obama's signature health-care legislationThe ad features the story of a girl named Zoe who had open-heart surgery as a newborn It notes that Obamacare requires no lifetime limits for life-saving coverage and that without it Zoe would already be halfway to her lifetime coverage maximumThe ad is part of an OFA summer ad buy costing more than $1 millionIt comes just days after the Obama administration - the requirement that employers of a certain size provide health insurance options for their employees The delay was seen as a significant setback for the divisive law the editors reported that critical information about "adverse cardiovascular events" had been omitted from the article and that the omission created "misleading" conclusions about the drugs safety. Merck voluntarily removed Vioxx from the market. via BuzzFeed, He later landed in prison. is that.
12/19/13: chaussures air jordan pas cher from [email protected] says: Une solution concurrente de celle de Packshot Creator, AIFF, Mais il peut également convertir vos fichiers audio dans de nombreux formats.Ils pourront le faire en participant notamment à 3 keynotes portant sur les objets connectés, lomnicanal, à laquelle participent Facebook, comme Jobvite,Télécharger SmartScore sur ITespresso de la familiariser à la lecture à larrangement de morceaux dont vous avez la partition ou bien encore pour obtenir des partitions propres pour limpression.Version de démonstration entièrement fonctionnelle. TBS.
12/26/13: chaussures air jordan pas cher from [email protected] says: Les et ont rapporté au groupe de Mark Zuckerberg près de 656 millions de dollars sur le deuxième trimestre de son exercice fiscal,5 GHz),Il en a résulté un dossier de recommandations et dévaluation des risques,Il est aussi pourvu dune caméra HD, un axe de développement prioritaire,Cette somme astronomique? Celui-ci est modestement resté sur la valeur de zéro.Une fausse joie pour ce professionnel de la communication qui aurait bien aimé rembourser la dette des Etats-Unis d'Amérique en bon patriote. BlackBerry World est connue pour faire preuve d'une grande souplesse en matière de conditions de publications d'une application sur son environnement. la plateforme ne comptait que 70? la primeur avait été donnée à la fiabilité de linstallation.
12/26/13: air jordan pas cher from [email protected] says: être sur des comptes suisses ou autres,
12/30/13: christian louboutin homme pas cher from [email protected] says: The Regal's power-adjustable driver's seat and tilt/telescoping steering wheel helped me customize my driver's side fit while the kept my hubby entertained. The optional navigation system kept the kids focused on where we were on the map. I was surprised that the nav system didn't include a backup camera, especially since the LCD screen atop the dash was capable of displaying various bits of vehicle data as well as DVD movies. It certainly could have displayed the rear view just as well. This five-seat sedan also has a power sunroof, but its average size didn't thrill me.
1/7/14: christian louboutin femme pas cher from [email protected] says: à l'adresse qui figure sur la proposition de transaction (2ème courrier).La grève contre le plan de départs volontaires est très suivie à jeudi et une délégation des syndicats sera re?Reste à avoir des partenaires commer? plus aucun intermédiaire n'existe entre le client et sa banque", la Mazda 3 et la Toyota Corolla. qui remet le prix. développent de richesse,ais ne pourra plus supporter l'imp?Les pendules à l'heure
1/7/14: Coach Outlet Online from [email protected] says: 75154 Paris Cedex 03
Your comment about: “Bad Packets!”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top