Understanding and Configuring IPS Sniffer Mode
03/30/2022 0 People found this article helpful 89,978 Views
IPS Sniffer Mode is a variation of Layer 2 Bridged Mode that is used for intrusion detection. IPS Sniffer Mode configuration allows an interface on the firewall to be connected to a mirrored port on a switch to examine network traffic. Typically, this configuration is used with a switch inside the main gateway to monitor traffic on the intranet.
In the network diagram below, traffic flows into a switch in the local network and is mirrored through a switch mirror port into an IPS Sniffer Mode interface on the SonicWall Security Appliance. The firewall inspects the packets according to the settings configured on the Bridge-Pair. Alerts can trigger SNMP traps which are sent to the specified SNMP manager via another interface on the firewall. The network traffic is discarded after the firewall inspects it.
The WAN interface of the firewall is used to connect to the firewall Data Center for signature updates or other data.
In IPS Sniffer Mode, a Layer 2 Bridge is configured between two interfaces in the same zone on the Security Appliance, such as LAN-LAN or DMZ-DMZ. You can also create a custom zone to use for the Layer 2 Bridge.
Only the WAN zone is not appropriate for IPS Sniffer Mode. The reason for this is that SonicOS detects all signatures on traffic within the same zone such as LAN-LAN traffic, but some directional specific (client-side versus server-side) signatures do not apply to some LAN-WAN cases.
Either interface of the Layer 2 Bridge can be connected to the mirrored port on the switch. As network traffic traverses the switch, the traffic is also sent to the mirrored port and from there into the Security Appliance for deep packet inspection. Malicious events trigger alerts and log entries, and if SNMP is enabled, SNMP traps are sent to the configured IP address of the SNMP manager system. The traffic does not actually continue to the other interface of the Layer 2 Bridge. IPS Sniffer Mode does not place the Security Appliance inline with the network traffic, it only provides a way to inspect the traffic.
This example topology uses SonicWall IPS Sniffer Mode in a Hewlett Packard ProCurve switching ( example HP ProCurve 2920 ) environment . This scenario relies on the ability of HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages to throttle or close ports from which threats are emanating. This method is useful in networks where there is an existing Security Appliance that remains in place, but you wish to use the Security Appliance’s security services as a sensor.
In this deployment the WAN interface and zone are configured for the internal network’s addressing scheme and attached to the internal network. The X2 port is Layer 2 bridged to the LAN port, but it is not attached to anything. The X0 LAN port is configured to a second, specially programmed port on the HP ProCurve switch. This special port is set for mirror mode: it forwards all the internal user and server ports to the “sniff” port on the firewall. This allows the firewall to analyze the entire internal network’s traffic, and if any traffic triggers the security signatures it immediately traps out to the PCM+/NIM server through the X1 WAN interface, which then can take action on the specific port from which the threat is emanating.
Configuring IPS Sniffer Mode:
1. Configuration Task List for IPS Sniffer Mode:
- Configure the Primary Bridge Interface
- Select LAN as the Zone for the Primary Bridge Interface
- Assign a static IP address
- Configure the Secondary Bridge Interface
- Select LAN as the Zone for the Secondary Bridge Interface
- Enable the L2 Bridge to the Primary Bridge interface
- Enable SNMP and configure the IP address of the SNMP manager system where traps can be sent
- Configure Security Services for LAN traffic
- Configure logging alert settings to “Alert” or below
- Connect the mirrored port on the switch to either one of the interfaces in the Bridge-Pair
- Connect and configure the WAN to allow access to dynamic signature data over the Internet
NOTE: For L2 bridge configuration, please use: Configuring Layer 2 Bridge Mode In SonicOS Enhanced
For SNMP configuration, please use: Configuring SNMP In SonicOS
2. Configuring IPS Sniffer mode: