Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
2
Replies

nm-cids and packet flow

pascal_parrot
Level 1
Level 1

‎12-04-2007 09:50 AM - edited ‎03-10-2019 03:53 AM

Hi,

I have some questions regarding the ids module. A router is connected to the internet and is using the software firewall. There is also a NM-CIDS in the router.

1) What is the sequence when a packet arrives from the internet?

Is it internet -> firewall -> ids?

2) Does the command "ids-service module monitoring" imply that traffic is sent to the IDS inbound and outbound?

3) The event viewer in the IDM shows a lot of events. Does it mean that the firewall is not dropping the packets? Is the IDM the only place to monitor the events or can they be sent to a syslog server?

4) In case there is an event, what can the module do to block the attack since it is not in line?

Thank you,

Best regards,

Pascal

Labels:
0 Helpful
2 Replies 2

jbayuka
Level 5
Level 5

‎12-12-2007 06:59 AM

That depends on how you configured the IDS/IPS to work on. If it is promicious mode means, internet --> firewall (a copy of packet is sent to IDS for scanning of vulnerability in it) or if it is inline mode, internet --> IPS --> firewall, packet scanned by IPS will be send it to firewall for further processing.

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎12-12-2007 12:03 PM

1) If there is no encryption then the packet is copied to the NM-CIDS after all router features (including firewall as well as NAT/PAT) have been done. I am about 90% sure on this. There is the possibility of a few features being done after the copy that I may not know about.

If NAT has been done then the packet itself will have the translated ips, however, the packet has an additional headers that tells the NM-CIDS wha the untranslated IPs are, and the analysis and alerting is done with the untranslated ips from the additional header.

When there is encryption involved, then incoming decryption is done with all other router features before copying to the NM-CIDS. But the outgoing encryption is the one feature done on the packet After it is copied to the NM-CIDS. This way the NM-CIDS always gets copies of unencrypted packets.

2) The command on an interface implies that all traffic coming in as well as traffic going out will be copied to the Nm-CIDS.

3) If IDM shows alerts, then I am pretty sure this means that they are making it through the firewall features (not being dropped) and making it to the other network.

I recommend using IEV for monitoring the alerts if you have a small number of sensors.

If you have a large number of sensors then I would recommend CS-MARS for monitoring.

IEV files:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev

NOTE: There is not a User Guide specifically for the latest version. To get a basic understanding look at the User Guide for the older version 4.x IEV:

http://www.cisco.com/en/US/docs/security/ips/4.0/configuration/guide/idm/swchap6.html

NOTE: Syslog is not supported for IPS events.

4) The NM-CIDS does support the Blocking feature. With the Blocking features the NM-CIDS is able to telnet back into the router and create an ACL. The ACL can then deny the IP Address of the attacker.

It can not deny the actual packet that triggered the signature, but the ACL can deny additional packets coming from that attacker/source address.

To read more on the Blocking feature:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517a6.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card