Sniffer Mode Overview

The following sections give an overview of sniffer mode deployments:

Topology

Figure 1 shows a basic topology for a sniffer mode deployment. The IDP Series device is not in the forwarding path of network traffic and cannot become a point-of-failure.

Figure 1: Network Diagram: Sniffer Mode

Image g036682.gif

In sniffer mode, the IDP Series device is not directly involved with packet flow. You connect an IDP Series device traffic interface to a port mirror or Switched Port Analyzer (SPAN) port. The IDP Series device analyzes the mirrored traffic based on your security policy and logs matching traffic. For some attacks, the IDP Series device can send TCP resets. However, this action does not guarantee protection, as attacks might have already happened before the reset or the attacker might persist.

Purpose

You deploy the IDP Series device in sniffer mode if you want to learn about security threats in your network but not disrupt connections.

Limitations

Table 5 lists the features and the limitations of sniffer mode.

Table 5: Sniffer Mode: Features and Limitations

Features

Limitations

  • Replaces the current intrusion detection with minimal effort
  • Does not create an additional point-of-failure gateway
  • Detects attacks according to your security policy rules
  • Performs the following security policy actions:

    • Close Client and Server
    • Close Client
    • Close Server
    • IP Close
    • IP Notify
  • Requires a hub or the SPAN port of a network switch
  • Cannot perform the following security policy actions:

    • Drop Packet
    • Drop Connection
    • Mark Diffserv
    • Rate limit
    • IP actions, such as IP block
  • Does not inspect HTTPS traffic that requires interdiction with the SSL forward-proxy feature
  • Does not support SYN Protector rulebase in relay mode
  • Does not support Network Honeypot rulebase

Configuration Overview

You enable sniffer mode with the Appliance Configuration Manager (ACM). In a sniffer mode deployment, you typically connect only a single IDP Series interface to the switch port. However, in ACM, you only have the option to configure interface pairs. Hence, you use ACM to enable sniffer mode for the pair of interfaces that includes the sniffer interface.

Figure 2 shows the ACM Configure Virtual Routers page. Note that bypass settings are not applicable to sniffer mode because sniffer mode interfaces are not in the path of network traffic.

Figure 2: ACM Configure Virtual Routers Page

Image s036825.gif

Related Documentation