Introduction

Capturing traffic is one of the most basic configuration skills needed for a successful IDS deployment. Capturing traffic is also one of the most misunderstood processes of deploying an IDS sensor. The axiom "if the switch port can't see the traffic, then neither can the IDS sensor" must be followed. A successful IDS sensor deployment requires that the sensor see all the traffic of interest wherever it has been placed on the network. To add to the fun of capturing traffic are virtual LANs (VLANs). And to kick up the anxiety level a notch, there are VPNs, SSL, and IP version 6. All of this must be accounted for when trying to roll out the IDS sensors. In the old days of networks, there were hubs or what is called "transparent bridges." These were very simple devices and it was easy to sniff or capture traffic since the traffic went everywhere. With the advent of switching, however, life became more difficult. The switch is nothing more than single-port transparent bridges tied to together in a common chassis. So the collision domain has been broken up but not the broadcast domain. This is why on a switched network you can capture broadcast traffic till the cows come home but not much else. We will show you in this chapter how to get around this troublesome improvement in network design. Of course, there are VLANs which thankfully many IDS sensors can work with, but this is not true of encryption. It's...