IDS Monitoring

How do you monitor the network with an IDS?

There are a couple of different ways, depending on what segment you wish to monitor and your budget. The first way is via a network tap. A tap is a device that sits in-line and duplicates all packets to another interface or multiple interfaces for monitoring.
There are several different types of taps: passive or active, half duplex or full, single device or multiple.

A passive tap allows you to monitor all packets going through the device by copying the packets to one port (full-duplex) or two (half-duplex). Full duplex taps must use a time of arrival algorithm to aggregate the stream on the monitoring port. Simplex taps use two monitoring ports, once for each network port. You must use channel bonding on the monitoring device to aggregate them back into one stream.

An active tap allows you to put packets from the monitoring device back through the tap onto the network. This is used for active response in IDS, that is, shooting down certain traffic you wish to stop. This is usually done by sending spoofed RST (reset) packets to both ends of the connection and tearing it down.

Some taps (called regeneration taps by some vendors) can regenerate the traffic stream to multiple network ports, allowing more than device to monitor it. You may, for example, use a four device tap at an Internet ingress point, and patch one port to your IDS, another to a packet auditing system like IDABench or Shadow, another to an analysis/statistics box for the network team and leave the fourth available for some future use, such as vendor troubleshooting.

SPAN ports, or port mirroring, are done on the switch. A span port is a switch port that is set up to receive copies of all packets seen by another port. Though easy to set up and not requiring any additional cost, there are disadvantages to span ports as opposed to taps. Span ports can drop packets such as runt packets (undersized), giants (oversized packets), and packets with CRC errors. Also, if a switch gets overloaded and experiences high utilization, the SPAN port will be the first place the switch will start dropping packets. If you are under an attack that creates large amounts of traffic, you may start losing packets at the very time it's critical to see them.

In the next post, I'll cover the different ways an IDS can detect malicious traffic.