Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
3
Replies

IDS module setup, what traffic to capture

Bill19795_2
Level 1
Level 1

‎07-08-2010 02:05 PM - edited ‎03-10-2019 05:03 AM

I have a WS-SVC-IDSM-2 that I have been tasked to setup. Currently the focus is around our pair of ASA’s that are used for internet access but the scope could increase. I am getting some conflicting information on how to setup the packet capture to the IDS module. I am leaning towards VACLS but I keep wondering if I do that will I miss traffic somewhere? As an example if I setup the VACL to capture TCP port 80,443, and 25 I am afraid I may miss some type of traffic on that VLAN. How do I determine what traffic I should send to the IDS module?

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎07-08-2010 02:19 PM

Well, it all depends on what traffic is going through your network.

If you have apps different than email, http and https that you want to be IDS protected then you would need to expand the VACL.

You can use Netflow to see what applications are running through the network.

Then you can decide which ones you don't trust and want the IDS to monitor.

I hope it helps.

PK

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎07-09-2010 03:42 AM

In addition to Panos' recommendations on methods for determining traffic to inspect with the IDSM-2, also keep in mind that the IDSM-2 is rated to inspect ~500 Mbps of traffic.  If the traffic you will be sending to the IDSM-2 exceeds that amount, it will most likely not be inspected.

That you mention having ASAs in your environment, have you considered deploying Cisco's AIP-SSM within the ASA?  There are multiple models for different traffic requirements, and they can inspect traffic that is flowing through the ASA.  You can find out more about the AIP-SSM here:

http://www.cisco.com/go/aipssm

Scott

0 Helpful

Bill19795_2
Level 1
Level 1
In response to Panos Kampanakis

‎07-12-2010 04:43 PM

When using a VACL to capture traffic on a 6500 I want to capture several types of traffic on my internal LAN. I have the VACL to do this. I also want to make sure I capture everything destined for and sourced from my ASA. Can I use a MAC ACL to capture the traffic? If I capture the traffic with a MAC ACL and apply that to the VACL will the IPS device process it?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card