IDS module setup, what traffic to capture

Unanswered Question
Jul 8th, 2010
User Badges:

I have a WS-SVC-IDSM-2 that I have been tasked to setup. Currently the focus is around our pair of ASA’s that are used for internet access but the scope could increase. I am getting some conflicting information on how to setup the packet capture to the IDS module. I am leaning towards VACLS but I keep wondering if I do that will I miss traffic somewhere? As an example if I setup the VACL to capture TCP port 80,443, and 25 I am afraid I may miss some type of traffic on that VLAN. How do I determine what traffic I should send to the IDS module?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Thu, 07/08/2010 - 14:19
User Badges:
  • Cisco Employee,

Well, it all depends on what traffic is going through your network.

If you have apps different than email, http and https that you want to be IDS protected then you would need to expand the VACL.


You can use Netflow to see what applications are running through the network.

Then you can decide which ones you don't trust and want the IDS to monitor.


I hope it helps.


PK

Scott Fringer Fri, 07/09/2010 - 03:42
User Badges:
  • Cisco Employee,

In addition to Panos' recommendations on methods for determining traffic to inspect with the IDSM-2, also keep in mind that the IDSM-2 is rated to inspect ~500 Mbps of traffic.  If the traffic you will be sending to the IDSM-2 exceeds that amount, it will most likely not be inspected.


That you mention having ASAs in your environment, have you considered deploying Cisco's AIP-SSM within the ASA?  There are multiple models for different traffic requirements, and they can inspect traffic that is flowing through the ASA.  You can find out more about the AIP-SSM here:


http://www.cisco.com/go/aipssm


Scott

Bill19795_2 Mon, 07/12/2010 - 16:43
User Badges:

When using a VACL to capture traffic on a 6500 I want to capture several types of traffic on my internal LAN. I have the VACL to do this. I also want to make sure I capture everything destined for and sourced from my ASA. Can I use a MAC ACL to capture the traffic? If I capture the traffic with a MAC ACL and apply that to the VACL will the IPS device process it?

Actions

This Discussion