Raritan Computer NOC Modem User Manual


 
CHAPTER 3: CONFIGURING INTRUSION DETECTION 45
Chapter 3: Configuring Intrusion Detection
This chapter describes procedures to configure a CC-NOC so it can monitor and analyze system
events for attempts to access system resources in an unauthorized manner. In the event of an
attack, real-time alerts can be sent to specified individuals.
Intrusion detection can be configured to run on a CC-NOC 100, CC-NOC 250, or on a CC-NOC
2500S in a distributed environment. Typically, you would place a CC-NOC on the “inside
interface” of your firewall. To configure a CC-NOC 2500S with intrusion detection, use the web
user interface of a CC-NOC 2500N.
Note: Please see
Appendix E: Managing and Responding to Intrusion Detection Events for
more details.
Configure a Spanned or Mirrored Port
Devices must be able to see packets passing on a network in order for intrusion detection and
network performance to function properly. To accomplish this, configure a "mirrored" or
"spanned" port on your network. We recommend the following resources to help you configure
the port:
For Cisco Catalyst switches:
http://www.cisco.com/warp/public/473/41.html
For HP Procurve switches, download the Management and Configuration Guide for your
switch:
http://www.hp.com/rnd/support/manuals/index.htm
For 3Com switches, see the appropriate manuals for configuration of the "Roving Analysis
Port".
To ensure that the CC-NOC is passing packets correctly, you can view your network traffic –
please see Raritan’s CommandCenter NOC User Guide for additional information on viewing
network traffic.
Ethernet TAP
Instead of using a spanned or mirrored port, an Ethernet tap could be used that may be considered
a more secure method in which to listen to network traffic than a spanned port.
An Ethernet TAP passes data between two network ports. Additionally, it outputs data from the
two network ports to either two half-duplex monitoring ports or to a single aggregated full-duplex
monitoring port. The CC-NOC monitoring port connects to a full-duplex Ethernet TAP
monitoring port.
Benefits
An Ethernet TAP operates at the electrical level instead of the network level so it mirrors the
traffic on the wire precisely, without altering it in any way. Also, the TAP monitoring port is
unidirectional. Therefore, using an Ethernet TAP has several advantages over a hub or spanned
port:
The traffic is always precisely mirrored without alteration.
The traffic flows one direction out of the Ethernet TAP so there is no chance that an intruder
(or any user of the network) could detect the fact that the CC-NOC is monitoring the traffic.
Since there are no output wires connecting the monitoring port of the CC-NOC to the
network, there is no chance that the CC-NOC could accidentally send traffic out of the port.