0

I am trying to find an inbuilt solution on a Cisco Catayst 3750X Switch to scan all traffic routed from one VLAN to another for malicious code.

The situation is that we currently have a development environment which is currently being redesigned to upgrade the network infrastructure to use the 3750X switches to manage server and workstation connectivity as well as inter-VLAN routing.

We also have another system that is responsible for taking the builds created on the development environment and imaging various HDDs.

Because these are two separate systems, we have a requirement in the workplace to anti-virus scan any data transferred between these systems. This is done by copying the data from the originating system to external USB HDD, scanning in a standalone workstation and then copying the data on to the receiving system. As you can imagine this is extremely tedious and impractical most of the time... (I don't make the rules).

Anyway, with this redesign going on, we would like to join the imaging system to the network infrastructure of the development system, keeping separation by the use of VLANs and restricting traffic by using ACLs. As we still have the requirement to scan all traffic I would like to configure some sort of malicious code scanning when ever traffic is routed between these VLANs.

I am aware I could install a separate in-line IPS/IDS device, however both systems will be using multiple ports on the switch (obviously), and we won't be able to put a device on each port. I would would prefer not to add additional hardware if the 3750x switch is capable of doing the job.

Is anyone aware of any Cisco solution that I could use here, that ideally can be incorporated into the 3750x switch?

Thanks in advance.

Jackthedog
  • 1
  • 1
    You want the *switch* to do the scanning?!? If this is correct, that's an impossibility. Network gear is engineered to do a very small set of things (packet forwarding, L3 routing, etc.) very well. They are flat out not designed for what you are proposing. – EEAA Aug 19 '14 at 02:58
  • To expound on that, network gear have very specialized ASICs that they use for 99.9% of their workload. All of their standard functions are handled in hardware, and only a very few tasks are punted to the equipment's general-purpose CPU. As such, their CPUs are not provisioned to handle the type of load. – EEAA Aug 19 '14 at 03:03
  • 1
    I strongly recommend you find whoever does make the rules and talk some sense into him. – Michael Hampton Aug 19 '14 at 03:19
  • Exactly how many ports are we talking? You can use a span port to monitor some traffic. Why not use a single port and VLAN tagging? I'm not sure how many monitor sessions a 3750 can support. You could also use ESXi to run the hosts and let it forward netflow to a collector. – SpacemanSpiff Aug 19 '14 at 03:44
  • @EEAA Thanks for that, wasn't sure if the switch was capable or not. Will probably have to look at routing traffic through an IPS device "IPS on a stick". – Jackthedog Aug 19 '14 at 04:02
  • @SpacemanSpiff Monitoring span ports would be more of a detection solution rather than prevention. – Jackthedog Aug 19 '14 at 04:03
  • If you absolutely must do it this way you could use a separate switch between the two sets of systems rather than using VLAN's and deploy an IPS/IDS between the switches. – joeqwerty Aug 19 '14 at 04:52

0 Answers0