Tag - Network Traffic

What is IPS and IDS and how they provide protection for network environments?


This paper discusses the factors affecting proper placement of Intrusion Dvcection and Prevention System (IDS/IPS) sensors in computer networks. Differences between IDS and IPS capabilities and limitations of existing systems are explored. Given this background, appropriate deployment scenarios for IDS/IPS technologies are presented as well as some consequences of improper
placement.  Finally, security implications for network design and possible future enhancements to existing IDS/IPS systems are discussed.
IDS and IPS Technologies:
Intrusion Dvcection and Intrusion Prevention Systems, IDS and IPS respectively, are mature network level defenses deployed in thousands of computer networks worldwide.  The basic difference between the two technologies lies in how they provide protection for network environments. Intrusion Dvcection Systems, IDS, analyze network traffic and generate alerts when malicious activity is discovered.  They are generally able to reset TCP connections by issuing specially crafted packets after an attack begins and some
are even able to interface with firewall systems to re-write firewall rulesets onthe-fly.  The limitation of Intrusion Dvcection Systems is that they cannot preempt network attacks because IDS sensors  are based on packet sniffing technologies that only watch network traffic as it passes by. Intrusion Prevention Systems, IPS, perform the same analysis as Intrusion Dvcection Systems but, because they are inserted in-line,  between other network components, they can preempt malicious activity.  In contrast to IDS sensors,
network traffic flows through an IPS sensor not past it so the IPS sensor can pull or drop traffic from the wire. This is the critical difference between IDS and IPS and it has implications for how both can be used.  Because IPS sensors require traffic to flow through
them, they can only be deployed at network choke points while IDS sensors can provide much broader network coverage.
Preliminary Information:
Before discussing sensor placement, the target network should be analyzed and choke points identified.  A choke point would be any point in a network where traffic is limited to a small number of connections.  An example is usually a company’s Internet boundary, where traffic crosses only a router and a firewall. The links between the router and firewall are perfect choke points and good
places to consider placing IPS sensors. Another consideration is high-value network assets.  Business critical systems and infrastructure, such as server farms or databases,  may warrant additional protection in the form of dedicated IPS or IDS sensors.  Of course some of these assets can be protected by host-based IDS or IPS software agents in addition to, or instead of, targvced network level sensors.
Intrusion Prevention Sensor Placement:
IPS sensors require network choke points; they are meant to be deployed between other network infrastructure components.  An IPS sensor can only provide protection if traffic flows through it. As we’ve seen, an Internet boundary is usually a good choke point, but
there is another consideration in this case: do we position a sensor inside or outside the firewall?  If we go outside, one sensor will protect the internal network and any DMZ networks behind the firewall.  The downside is that the sensor requires much more tuning to lower the noise level.  Being outside the firewall means the sensor sees everything, even traffic the firewall would block. In this case, the IPS administrator needs to adjust the IPS policy or rule set so traffic that the firewall will block either doesn’t get inspected by the IPS or the IPS doesn’t generate alerts based on it. This assumes that the administrator doesn’t want to know about every
inbound attack.  In most corporate environments, this is true, but there are a few environments where it isn’t, the individual administrator and their superiors must decide. The flip side to this scenario is to place an IPS sensor inside, or behind, the firewall.  Here, the firewall blocks traffic and therefore limits what the IPS needs to inspect, improving efficiency.  The trade off is the number of sensors needed to provide the same level of protection as an externally placed sensor.  Most commercially available sensors offer coverage for  several physical network links in a single chassis or other hardware platform.  Generally, the higher the number
of links, the higher the cost. Highly available networks add cost and complexity to both scenarios by increasing the number of physical links being protected.  The decision of providing protection for the passive or fail-over side of a high availability lies with the
system administrator and their superiors. This discussion was specific to an Internet boundary but other likely choke points may exist.  Many organizations maintain extranet connections to business partners that are consolidated on firewall or VPN protected networks.  Placing an IPS sensor behind such a firewall or VPN concentrator protects one network from the other.  In the case of VPN networks, care must be taken to inspect the unencrypted side of the VPN tunnel. There may even be choke points and boundaries within a network where IPS sensors can be deployed.  Between departments or business units, or between users and critical systems like databases. But what if a given network has no choke points?  What this means is that flat networks are trouble for IPS sensors.  But, in some cases, choke points can be created.  Consider a switched network using one or no VLANs.  On a single switch different ports can be assigned to different VLANs.  Creating two VLANs and bridging them with an IPS sensor, creates a protected choke point .  Network engineers will see this as an oddity and they are right but in a pinch, it works and allows different portions of the network to be protected from each other. Another problem for IPS deployments is the wide-area network or WAN. IPS sensors can be used in wide-area networks but require positioning between distributed local area networks and the WAN cloud.  This most likely translates to one IPS sensor at each remote location and one or more sensors at any central or large sites.  Obviously then IPS deployments in WAN environments can be expensive.  I will leave one possibility up to the network engineers: in a hub-andspoke WAN, it might be possible to leverage VLANS as discussed previously to get all traffic inspected by a single, centralized IPS sensor.  This option is highly dependent on the given network infrastructure and also depends on all WAN traffic traversing the network through a single site.
Intrusion Dvcection Sensor Placement:
As previously mentioned, Intrusion Dvcection System (IDS) sensors are more flexible and less capable than IPS sensors.  Nonetheless, IDS sensors can be substituted for IPS sensors in all of the examples previously given and some of the same caveats apply, particularly when considering placement around firewalls.  Importantly, though, IDS sensors forgo the need for in-line placement common to IPS sensors.  IDS sensors can be connected to network taps or switch analysis ports, commonly known as SPAN ports.  Both types of connections simply copy network traffic for presentation to and analysis by the IDS sensor. This means that IDS can provide security event dvcection with fewer sensors than IPS can, although the level of protection is far less.
For example, switched network backbones are ideal for IDS sensor deployment.  Dependent on the amount of traffic being inspected, a few or perhaps even one IDS sensor can provide coverage for an entire network. Actually, any switch that can enable an analysis port is a possible deployment site for an IDS sensor.
Implications for future IDS/IPS technologies:
Clearly, existing IDS and IPS technologies have some limits, the need to protect at choke points only being chief among them.  Aside from increases in processing speed, yielding the ability to inspect and protect more data per second, it seems that incorporating IDS and IPS technology into the network infrastructure is a logical next step.  Some vendors are already providing something like this in the way of add-on modules or blades for existing switches. But I think we will begin to see a hybridization of switch and security
technologies in the next few years.  A single device that appears to be a switch but has enough intelligence to perform a security analysis of not just every packet crossing the backplane but keep state on and watch every conversation, a session in network parlance.  Such a device eliminates the need for separate IDS or IPS sensors sitting in the network  and can conceivably protect system on adjoining ports from each other which is possible but cost prohibitive using today’s technology. These hybrid devices will be much more than just a switch with IPS.  They will both require new technologies within the switch chassis and enable new network architectures without.  Whenever these devices arrive however, the need for them exists today. Do note however, that the foregoing discussion does not mention firewalls. The merger of firewalls and IPS/IDS technologies isn’t necessarily logical. Firewalls are designed for very rapid inspection of packet headers so they can make very rapid decisions about passing traffic.  Intrusion Dvcection and Prevention Systems are designed to delve far deeper into packets and entire network sessions.  I think it will be many years before we see network devices that can effectively deal with both of these jobs.

What is a VLAN? How to Setup a VLAN on a Cisco Switch?

What is a VLAN?

According to IT Portal (2002), a Virtual Local Area Network (VLAN) may be defined as a group of LANs that have different physical connections, but which communicate as if they are connected on a single network segment. VLANs were created because IT administrators realised that there was a need for a network segmenting solution, since network traffic increases with network size.

VLANs increase overall network performance by grouping users and resources that communicate most frequently with each other. This means that the use of unicast or broadcast data transmission is limited, and traffic is reduced. It is a software based solution and allows IT administrators to adapt to networking changes.


Advantages of VLANs

VLANs provide the following advantages:

  • Ease of administration

VLANs enable logical grouping of end-stations that are physically dispersed on a network. When users on a VLAN move to a new physical location but continue to perform the same job function, the end-stations of those users do not need to be reconfigured. Similarly, if users change their job function, they need not physically move: changing the VLAN membership of the end-stations to that of the new team makes the users’ end-stations local to the resources of the new team.

  • Confinement of broadcast domains

VLANs reduce the need to have routers deployed on a network to contain broadcast traffic. Flooding of a packet is limited to the switch ports that belong to a VLAN.

  • Reduction in network traffic

As a result of confinement of broadcast domains on a network, traffic on the network is significantly reduced.

  • Enforcement of security policies

By confining the broadcast domains, end-stations on a VLAN can be isolated from listening to or receiving broadcasts not intended for them. Moreover, if a router is not connected between the VLANs, the end-stations of a VLAN cannot communicate with the end-stations of the other VLANs.

Types of VLANs

According to Intel Corporation (2002), in general, there are three basic models for dvcermining and controlling how a packet gets assigned to a VLAN.

Port-based VLANs

In this implementation, the administrator assigns each port of a switch to a VLAN. For example, ports 1-3 might be assigned to the Sales VLAN, ports 4-6 to the Engineering VLAN and ports 7-9 to the Administrative VLAN (see Figure 4). The switch dvcermines the VLAN membership of each packet by noting the port on which it arrives.

When a user is moved to a different port of the switch, the administrator can simply reassign the new port to the user’s old VLAN. The network change is then complvcely transparent to the user, and the administrator saves a trip to the wiring closet. However, this method has one significant drawback. If a repeater is attached to a port on the switch, all of the users connected to that repeater must be members of the same VLAN.

MAC address-based VLANs

The VLAN membership of a packet in this case is dvcermined by its source or destination MAC address. Each switch maintains a table of MAC addresses and their corresponding VLAN memberships. A key advantage of this method is that the switch doesn’t need to be reconfigured when a user moves to a different port.

However, assigning VLAN membership to each MAC address can be a time consuming task. Also, a single MAC address cannot easily be a member of multiple VLANs. This can be a significant limitation, making it difficult to share server resources between more than one VLAN. (Although a MAC address can theoretically be assigned to multiple VLANs, this can cause serious problems with existing bridging and routing, producing confusion in switch forwarding tables.)

Layer 3 (or protocol)-based VLANs

With this method, the VLAN membership of a packet is based on protocols (IP, IPX, NetBIOS, etc.) and Layer 3 addresses. This is the most flexible method and provides the most logical grouping of users. An IP subnet or an IPX network, for example, can each be assigned their own VLAN. Additionally, protocol-based membership allows the administrator to assign non-routable protocols, such as NetBIOS or DECnet, to larger VLANs than routable protocols like IPX or IP. This maximizes the efficiency gains that are possible with VLANs.

Another important distinction between VLAN implementations is the method used to indicate membership when a packet travels between switches. Two methods exist — implicit and explicit.


VLAN membership is indicated by the MAC address. In this case, all switches that support a particular VLAN must share a table of member MAC addresses.


A tag is added to the packet to indicate VLAN membership. Cisco ISL and the IEEE 802.1q VLAN specifications both use this method.

To summarize, when a packet enters its local switch, the dvcermination of its VLAN membership can be port-based, MAC-based or protocol-based. When the packet travels to other switches, the dvcermination of VLAN membership for that packet can be either implicit (using the MAC address) or explicit (using a tag that was added by the first switch). Port-based and protocol-based VLANs use explicit tagging as their preferred indication method. MAC-based VLANs are almost always implicit.

The bottom line is that the IEEE 802.1q specification is going to support port-based membership and explicit tagging, so these will be the default VLAN model in the future.

Requirements to set up VLANs

The following requirements must be satisfied before setting up VLANs in a network:

  • The switches deployed in the network either must comply with IEEE 802.1Q standards or must have a vendor-specific implementation of VLANs.
  • For an end-station to support multiple VLANs, it must be able to dynamically register or must be statically configured to belong to a VLAN.

If an end-station cannot register or cannot be configured to belong to a VLAN, the end-station can belong only to one VLAN. This VLAN is configured on the switch port to which the end-station connects.

Communication in a VLAN explained

When a computer on a VLAN sends packets, they are only flooded to the members of the VLAN. If there is communication between  VLANs, then the packets will need to go through a router. The diagram on the next page illustrates how communication occurs between geographically dispersed VLAN members. Here, VLAN 10 (Engineering), VLAN 20 (Marketing), and VLAN 30 (Finance) span three floors of a building. If a member of VLAN 10 on Floor 1 wants to communicate with a member of VLAN 10 on Floor 3, the communication occurs without going through the router, and packet flooding is limited to port 1 of Switch 2 and Switch 3 even if the destination MAC address to Switch 2 and Switch 3 is not known.

Communication in a VLAN (Source : Network Applicance Inc (2001)

Creating the VLAN 

After all the hardware connections are in place, then the VLAN can be created. First, the user will need to log onto the switch using telnet or SSH in order to access the switch’s Command Line Interface (CLI). If the user is lucky, the switch may contain an easy-to-use menu system for managing the switch. This essay will describe how to create a VLAN using the not-so-friendly CLI. Cisco’s Command Reference (1998) was used for assistance.

After logging on to the switch, the user will have to enter administrative mode. This can be done by typing enable at the command prompt as shown below. The system will request for a password and this should be given.

[ South Rack, Centre of Excellence, Rhodes University ]

# Use of this computer system is restricted to authorized users.    #

# All other users will be prosecuted to the full extent of the law. #

User Access Verification





To create a VLAN, the system must be in vlan mode. To enter vlan mode, the user must type vlan database at the prompt as shown below :

cat2.ict#vlan database


If the user wants to create a VLAN named Fari which is assigned the number 20 then he must type vlan 20 name Fari. This should be followed by the exit command, to apply the changes. The output appears as follows:

cat2.ict(vlan)#vlan 20 name Fari

VLAN 20 modified:

Name: Fari

type exit to save the changes


APPLY complvced.



The user can then view the VLAN that he has created by typing show vlan :

cat2.ict#show vlan

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,

Fa0/5, Fa0/6, Fa0/7, Fa0/8,

Fa0/9, Fa0/10, Fa0/11, Fa0/12,

Fa0/13, Fa0/14, Fa0/15, Fa0/16,

Fa0/17, Fa0/18, Fa0/19, Fa0/20,

Fa0/21, Fa0/22, Fa0/23, Fa0/24

2    DragonsCave                      active

3    Mya                              active

5    Honours1                         active

10   VLAN0010                         active

13   GraemesSpot                      active

14   NiksVlan                         suspended

16   Paddington                       active

18   Jasmine                          suspended

20   Fari                             active

69   Imarx’sVlan                      active

70   Uma                              active

1002 fddi-default                     active

1003 token-ring-default               active

1004 fddinet-default                  active

1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

—- —– ———- —– —— —— ——– —- ——– —— ——

1    enet  100001     1500  –      –      –        –    –        1002   1003

2    enet  100002     1500  –      –      –        –    –        0      0

3    enet  100003     1500  –      –      –        –    –        0      0

5    enet  100005     1500  –      –      –        –    –        0      0

10   enet  100010     1500  –      –      –        –    –        0      0

13   enet  100013     1500  –      –      –        –    –        0      0

14   enet  100014     1500  –      –      –        –    –        0      0

16   enet  100016     1500  –      –      –        –    –        0      0

18   enet  100018     1580  –      –      –        –    –        0      0

20   enet  100020     1500  –      –      –        –    –        0      0

69   enet  100069     1500  –      –      –        –    –        0      0

70   enet  100070     1500  –      –      –        –    –        0      0

1002 fddi  101002     1500  –      –      –        –    –        1      1003

1003 tr    101003     1500  1005   0      –        –    srb      1      1002

1004 fdnet 101004     1500  –      –      1        ibm  –        0      0

1005 trnet 101005     1500  –      –      1        ibm  –        0      0

Maintaining the VLAN

If the user wants to make any changes, he can follow the same steps above, and the changes will overwrite the old configuration. To delvce a VLAN, the user needs to enter VLAN mode using vlan database and then type no vlan #  where # represents the number of the VLAN to be delvced.


It can be seen that creating and managing a VLAN can be quite a complex task. The LAN administrator needs to have a clear understanding about how VLANs work and he must know the commands needed in order to configure and set up the switches in his network.

what is ATM? Quick review on this WAN technology


Short for Asynchronous Transfer Mode, a network technology based on transferring data in cells or packets of a fixed size. The cell used with ATM is relatively small compared to units used with older technologies. The small, constant cell size allows ATM equipment to transmit video, audio, and computer data over the same network, and assure that no single type of data hogs the line.


Some people think that ATM holds the answer to the Internet bandwidth problem, but others are skeptical. ATM creates a fixed channel, or route, between two points whenever data transfer begins. This differs from TCP/IP, in which messages are divided into packets and each packet can take a different route from source to destination. This difference makes it easier to track and bill data usage across an ATM network, but it makes it less adaptable to sudden surges in network traffic.

When purchasing ATM service, you generally have a choice of four different types of service:

  • constant bit rate (CBR): specifies a fixed bit rate so that data is sent in a steady stream. This is analogous to a leased line.
  • variable bit rate (VBR): provides a specified throughput capacity but data is not sent evenly. This is a popular choice for voice and videoconferencing data.
  • available bit rate (ABR): provides a guaranteed minimum capacity but allows data to be bursted at higher capacities when the network is free.
  • unspecified bit rate (UBR): does not guarantee any throughput levels. This is used for applications, such as file transfer, that can tolerate delays.

Copyright ©2010 - 2022 Ciscoforall.com | Privacy Policy | Terms & Conditions