Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 1.9 Is Snort vulnerable Up: 1 Background Previous: 1.7 Does Snort perform

1.8 I'm on a switched network, can I still use Snort?

Short version:

Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the Snort machine's port.

Extended version:

There are several ways of deploying NIDS in switched environments which all have their pros and cons. Which method applies to your needs depends on what kind of segments you want to monitor and on your budget. Here are the most common methods:

  1. Switch mirror: If the switch can mirror traffic, then set the switch to mirror all traffic to the Snort machine's port.
    • Advantages:
      • Simple method, works with most decent switches.
    • Drawbacks:
      • If the switch is a fast Ethernet switch, you can mirror 100Mbit/s max. Since each switch port is capable of handling 100Mbit/s for each direction, the bandwidth per port sums up to 200Mbit/s, so the switch will not be able to mirror all packets at high network utilization.

      • Some switches suffer from performance degradation through port mirroring.
  2. Hub: Insert a hub in line, so you can simply tap all traffic. Works fine for home networks, will lose data due to collisions at loads greater than 50%--so a 10Mbps hub should be fine for T1/E1, DSL or cablemodem. If you have a DS3 or greater, you should investigate taps.
    • Advantages:
      • Simple method
      • No impact on switch performance and no config changes
      • Low cost
    • Drawbacks:
      • Loss of full-duplex capabilities
      • Additional single point of failure
      • Collision loss at above 50% load levels
  3. Network taps: Use network taps (e.g. Shomiti/Finisar [http://www.shomiti.com] and Netoptics [http://www.netoptics.com). You can find some rather good information in the papers by Jeff Nathan. You can find the papers at http://www.snort.org/docs/#deploy.
    • Advantages:
      • No impact on switch performance and no special configuration
      • Stealth--i.e., sending data back to the switch is disabled
      • No single point of failure, ``fail-open'' if the tap power fails
    • Drawbacks:
      • The datastream is split into TX and RX, so you need two NICs
      • The two datastreams have to be recombined, i.e. merged, if you don't want to lose the capability of doing stateful analysis. This can be done by using channel bonding. Information can be found at http://sourceforge.net/projects/bonding.
      • Cost

  4. Throw money at it: Tap switch ports (using the forementioned network taps) but only tap all incoming packets (RX lines of the switch ports), connecting those tap ports to a dedicated gigabit switch, which is capable of mirroring up to ten RX taplines to one single dedicated gigabit port, which is connected to a gigabit IDS machine.
    • Advantages:
      • Maximum coverage (i.e. monitor all switchports)
      • No performance degradation or re-configuration of the switch
    • Drawbacks:
      • Mucho $$$

next up previous
Next: 1.9 Is Snort vulnerable Up: 1 Background Previous: 1.7 Does Snort perform
Nigel Houghton 2006-10-02
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.