Understanding and Configuring IPS Sniffer Mode

03/30/2022 0 People found this article helpful 476,449 Views

Description

IPS Sniffer Mode is a variation of Layer 2 Bridged Mode that is used for intrusion detection. IPS Sniffer Mode configuration allows an interface on the firewall to be connected to a mirrored port on a switch to examine network traffic. Typically, this configuration is used with a switch inside the main gateway to monitor traffic on the intranet.

Resolution

In the network diagram below, traffic flows into a switch in the local network and is mirrored through a switch mirror port into an IPS Sniffer Mode interface on the SonicWall Security Appliance. The firewall inspects the packets according to the settings configured on the Bridge-Pair. Alerts can trigger SNMP traps which are sent to the specified SNMP manager via another interface on the firewall. The network traffic is discarded after the firewall inspects it.

The WAN interface of the firewall is used to connect to the firewall Data Center for signature updates or other data.

In IPS Sniffer Mode, a Layer 2 Bridge is configured between two interfaces in the same zone on the Security Appliance, such as LAN-LAN or DMZ-DMZ. You can also create a custom zone to use for the Layer 2 Bridge.

Only the WAN zone is not appropriate for IPS Sniffer Mode. The reason for this is that SonicOS detects all signatures on traffic within the same zone such as LAN-LAN traffic, but some directional specific (client-side versus server-side) signatures do not apply to some LAN-WAN cases.

Either interface of the Layer 2 Bridge can be connected to the mirrored port on the switch. As network traffic traverses the switch, the traffic is also sent to the mirrored port and from there into the Security Appliance for deep packet inspection. Malicious events trigger alerts and log entries, and if SNMP is enabled, SNMP traps are sent to the configured IP address of the SNMP manager system. The traffic does not actually continue to the other interface of the Layer 2 Bridge. IPS Sniffer Mode does not place the Security Appliance inline with the network traffic, it only provides a way to inspect the traffic.

Sample Topology:

This example topology uses SonicWall IPS Sniffer Mode in a Hewlett Packard ProCurve switching ( example HP ProCurve 2920 ) environment . This scenario relies on the ability of HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages to throttle or close ports from which threats are emanating. This method is useful in networks where there is an existing Security Appliance that remains in place, but you wish to use the Security Appliance’s security services as a sensor.

In this deployment the WAN interface and zone are configured for the internal network’s addressing scheme and attached to the internal network. The X2 port is Layer 2 bridged to the LAN port, but it is not attached to anything. The X0 LAN port is configured to a second, specially programmed port on the HP ProCurve switch. This special port is set for mirror mode: it forwards all the internal user and server ports to the “sniff” port on the firewall. This allows the firewall to analyze the entire internal network’s traffic, and if any traffic triggers the security signatures it immediately traps out to the PCM+/NIM server through the X1 WAN interface, which then can take action on the specific port from which the threat is emanating.

Configuring IPS Sniffer Mode:

1. Configuration Task List for IPS Sniffer Mode:

Configure the Primary Bridge Interface
- Select LAN as the Zone for the Primary Bridge Interface
- Assign a static IP address
Configure the Secondary Bridge Interface
- Select LAN as the Zone for the Secondary Bridge Interface
- Enable the L2 Bridge to the Primary Bridge interface
Enable SNMP and configure the IP address of the SNMP manager system where traps can be sent
Configure Security Services for LAN traffic
Configure logging alert settings to “Alert” or below
Connect the mirrored port on the switch to either one of the interfaces in the Bridge-Pair
Connect and configure the WAN to allow access to dynamic signature data over the Internet

NOTE: For L2 bridge configuration, please use: Configuring Layer 2 Bridge Mode In SonicOS Enhanced

For SNMP configuration, please use: Configuring SNMP In SonicOS

2. Configuring IPS Sniffer mode:

Navigate to MANAGE | System Setup | Network | Interfaces.
Click on the Edit icon for the X2 interface. The Edit Interface dialog displays.
Set the Mode / IP Assignment to Layer 2 Bridged Mode. The options change.
Set the Bridged To: interface to X0.
Select Only sniff traffic on the bridge-pair.
Click OK to save and activate the change. The dialog closes, and the Network > Interfaces page
redisplays.
Click the Edit icon for the X1 WAN interface. The Edit Interface dialog displays.
Assign the X1 WAN interface a unique IP address for the internal LAN segment of your network — this may sound wrong, but this is actually be the interface from which you manage the appliance, and it is also the interface from which the Security Appliance sends its SNMP traps as well as the interface from which it gets security services signature updates.
Click OK.
For traffic to pass successfully, you must also modify the firewall rules to allow traffic from the
- LAN to WAN,
- WAN to the LAN
Connect the:
- Span/mirror switch port to X0 on the Security Appliance, not to X2 (in fact, X2 is not plugged in at all)
- X1 to the internal network

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Understanding and Configuring IPS Sniffer Mode

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch