NAC Vs IPS/IDS

Answered Question
Jan 21st, 2010

Hi All,

One of the client got multiple locations. Each locations has its own Internet access. Main and DR datacenters got ASA5510. Remote users use IPSEC RA and Citrix connections (to main DC then route to internal n/w). What is the best solution.. NAC or IDS/IPS for security?  My guess is , with many internet access points, client may need to go for solution at each location. Also, is there any document  whcih explains differences between NAC Vs IDS/IPS?

TIA

MS

I have this problem too.
0 votes
Correct Answer by rhermes about 6 years 10 months ago

I would always place the IPS sensor inside the firewall. That way it will only have to inspect traffic that makes it through the firewall policy and alerts the sensor generates will have more value in terms of real intrustions you should be aware of.

If the traffic passing thought your DS3 router is encrypted inside a VPN tunnel, a router based IPS will not be able to inspect the traffic inside the VPN.

You would have to inspect the traffic after it has been decrypted. This could be done in the ASAs or with an external appliance sensor, such as a 4240.

- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rhermes Mon, 01/25/2010 - 09:35

it entirely depend on what your customer is trying to protect.

NAC will protect your local network form bad/dirty end users. It can enforce requirements for patches, antivirus software, etc on the hosts.

IDS/IPS is better at enforing a network traffic policy, protecting your network and users from attacks from the internet (those that get through the firewall) and dropping undeseriable activity come from hosts (attacks, P2P, etc)- Bob
mvsheik123 Tue, 01/26/2010 - 08:14

Thank you Bob. So with reference to network perimeter, if the location has internet access only (no incoming vpn etc), do we need IDS at Firewall inside or outside?  Also, if location got 2 entry points via ASAs (L2l VPN & RA VPNs) and if the entry point is via a DS3 router (ISP-->DS3 rtr--> ASA1/ASA2 etc), if we go for IDS module on DS3 router is sufficient or we need to have AIP-SSM in each ASA..?

TIA

MS

Correct Answer
rhermes Tue, 01/26/2010 - 09:08

I would always place the IPS sensor inside the firewall. That way it will only have to inspect traffic that makes it through the firewall policy and alerts the sensor generates will have more value in terms of real intrustions you should be aware of.

If the traffic passing thought your DS3 router is encrypted inside a VPN tunnel, a router based IPS will not be able to inspect the traffic inside the VPN.

You would have to inspect the traffic after it has been decrypted. This could be done in the ASAs or with an external appliance sensor, such as a 4240.

- Bob

mvsheik123 Tue, 01/26/2010 - 10:15

Thanks Bob. Also, another question.. How can the client can record/track any misuse of user access to personal emails..ex: if a user goto his 'hotmail' / 'gmail' and attach some company related information files from his PC/file servers. Do we need net VCR (like Niksun) for this..? Also if that is the case, day to day activity needs lots of storage on that.

Thank you for your time.

MS

Actions

This Discussion