Cisco IPS sensor scenario one – Promiscuous mode

Like I said in my previous blog, there are four ways of placement of Cisco IPS 4200 sensors. This time, we are going to see how this is done in promiscuous mode. In this mode the sensor is not inline for the traffic, so we need to find the way of sending a *copy* of every packet we are interested in to the sensor. This can be SPAN if the sensor and the traffic we want to analyse are on the same switch, or RSPAN if they are not. We are going to talk about RSPAN, because it’s a more common scenario. Here is the topology:

If you have read the previous article about blocking attackers using IPS sensor and ASA’s shun, then you know that we want to track VPN traffic entering the datacenter. This is just one scenario and similar scenarios could be made.

It’s obvious that we already have VLAN4, because that’s the way things worked before introduction of IPS sensor. Now we need to create VLAN444 and make it a RSPAN VLAN:

Core-1(config)#
Core-1(config)#vlan 444
Core-1(config-vlan)#name IPS Remote Capture
Core-1(config-vlan)#remote-span
Core-1(config-vlan)#exit
Core-1(config)#

VTP will do the rest and all other switches in the VTP domain will learn about this VLAN.

Now on SW2 we need to take VLAN4’s traffic and throw it into VLAN444:

monitor session 4 source vlan 4
monitor session 4 destination remote vlan 444

The only thing left is to take the traffic out from VLAN444 and send it to IPS sensor’s port. This is done on SW1:

monitor session 4 source remote vlan 444
monitor session 4 destination interface Gi2/32 ingress vlan 4

This completes switching requirements. Now it’s time to set up the sensor.

Let’s go to Configuration->Interfaces->Interfaces, select GigabitEthernet0/1 and click enable. Then go to Configuration->Policies, select virtual sensor vlan4, click Edit and assign GigabitEthernet0/1 to vlan4 virtual sensor. Again, vlan4 is just a virtual sensor we created beside the default vs0. The name is unimportant but we should use something meaningful:

Now would be a good time to see if the sensor is picking up any traffic. This could be easily done from command line on IPS sensor:

IPS1# packet display gigabitEthernet0/1

After issuing this command we should see traffic going through VLAN4. We can now spend some time tunning vlan4 virtual sensor’s signatures like we did in this example.

Advertisements
This entry was posted in Cisco, IPS and tagged , , , . Bookmark the permalink.

2 Responses to Cisco IPS sensor scenario one – Promiscuous mode

  1. Pingback: Blocking/shunning attackers with Cisco IPS and ASA | popravak

  2. Pingback: Cisco IPS scenario three – Inline VLAN Pairs | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s