01-21-2010 04:52 PM - edited 03-10-2019 04:52 AM
Hi All,
One of the client got multiple locations. Each locations has its own Internet access. Main and DR datacenters got ASA5510. Remote users use IPSEC RA and Citrix connections (to main DC then route to internal n/w). What is the best solution.. NAC or IDS/IPS for security? My guess is , with many internet access points, client may need to go for solution at each location. Also, is there any document whcih explains differences between NAC Vs IDS/IPS?
TIA
MS
Solved! Go to Solution.
01-26-2010 09:08 AM
I would always place the IPS sensor inside the firewall. That way it will only have to inspect traffic that makes it through the firewall policy and alerts the sensor generates will have more value in terms of real intrustions you should be aware of.
If the traffic passing thought your DS3 router is encrypted inside a VPN tunnel, a router based IPS will not be able to inspect the traffic inside the VPN.
You would have to inspect the traffic after it has been decrypted. This could be done in the ASAs or with an external appliance sensor, such as a 4240.
- Bob
01-25-2010 09:35 AM
it entirely depend on what your customer is trying to protect.
NAC will protect your local network form bad/dirty end users. It can enforce requirements for patches, antivirus software, etc on the hosts.
IDS/IPS is better at enforing a network traffic policy, protecting your network and users from attacks from the internet (those that get through the firewall) and dropping undeseriable activity come from hosts (attacks, P2P, etc)- Bob01-26-2010 08:14 AM
Thank you Bob. So with reference to network perimeter, if the location has internet access only (no incoming vpn etc), do we need IDS at Firewall inside or outside? Also, if location got 2 entry points via ASAs (L2l VPN & RA VPNs) and if the entry point is via a DS3 router (ISP-->DS3 rtr--> ASA1/ASA2 etc), if we go for IDS module on DS3 router is sufficient or we need to have AIP-SSM in each ASA..?
TIA
MS
01-26-2010 09:08 AM
I would always place the IPS sensor inside the firewall. That way it will only have to inspect traffic that makes it through the firewall policy and alerts the sensor generates will have more value in terms of real intrustions you should be aware of.
If the traffic passing thought your DS3 router is encrypted inside a VPN tunnel, a router based IPS will not be able to inspect the traffic inside the VPN.
You would have to inspect the traffic after it has been decrypted. This could be done in the ASAs or with an external appliance sensor, such as a 4240.
- Bob
01-26-2010 10:15 AM
Thanks Bob. Also, another question.. How can the client can record/track any misuse of user access to personal emails..ex: if a user goto his 'hotmail' / 'gmail' and attach some company related information files from his PC/file servers. Do we need net VCR (like Niksun) for this..? Also if that is the case, day to day activity needs lots of storage on that.
Thank you for your time.
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide