IDSM-2

estelamathew · ‎08-15-2010

Hello Dears,

I'm planning to place IDSM-2 in INLINE VLAN PAIR mode rather than promiscous mode.Please correct my steps if i m wrong in below points.

Steps to configure 6500 switch with cisco IOS for IDSM-2

router(config)# intrusion-detection module 13 data-port 1 trunk allowed-vlan all

Steps to configure IDSM-2 for Inline Vlan pairing:

when we Enter yes to modify the interface and virtual sensor configuration.
we select Edit Interface Configuration
we select Add/Modify Inline Vlan Pairs.
after that we should create as much Subinterfaces on gig0/7 OR gig0/8 as much Vlan pair we have
Set up the inline VLAN pair.
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 62
sensor(config-int-phy-inl-sub)# vlan2 63
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 2
sensor(config-int-phy-inl-sub)# vlan3 72
sensor(config-int-phy-inl-sub)# vlan4 73

Thanks

Siddharth Chandrachud · ‎08-19-2010

IDSM2 inline mode design consists of two parts

a. Configuring IDSM2 module itself.

Your IDSM2 configuration seems fine.

Again I am not sure why you are doing a inline vlan pair as opposed to a inline pair.

Inline vlan pair is IDSM on a stick. One physical interface and multiple subinterfaces.

Each subinterface is associated with a pair of vlans. Packets received on one of the paired VLANs

are analyzed and then forwarded to the other VLAN in the pair.

b. Configuring 6500 switch so that the traffic actually goes to the IDSM2 module.

IDSM2 does not do routing. IDSM2 can only bridge Vlans (Operates at layer 2).

Hence you will have to design 6500 configuration in way to force traffic to go to the IDSM.

The main principle is to have one ip subnet and 2 vlans in the same ip subnet.

To better understand the above in detail please check my design document on IDSM2 inline mode.

https://supportforums.cisco.com/docs/DOC-12206

Sid Chandrachud

TAC Security Solutions.

estelamathew · ‎08-19-2010

Excellent document Siddharth,

In ur architecture:

Data flow between IDSM2 and 6500 happens via ports on the back-plane.

6500 dataport 1 connects to IDSM gig0/7. 6500 dataport 2 connects to IDSM gig0/8

IDSM will bridge gig0/7 and gig0/8 together.
Vlan assignment to ports can be done only on Cat6500 side.
If Dataport1 is in vlan x and Dataport 2 is in Vlan y then, IDSM is in fact bridging Vlan x & y due to the architecture.

Question 1:The above RED HIGLIGHTED line is confusing me ,We can assign vlan's in inline Interface pair mode as u have suggested me to use in ur above mail??? If so, then can we use as much real vlan on port gig0/7 and as much virtual vlan on gig0/8,so that IDSM-2 will bridge between them.Uptill now what i m thinking is in inline interface pair mode supports only 1 set of vlan and that to they are access ports.

Question 2:ON what scenarios we need INLINE VLAN PAIR MODE THEN??

Question 3: In 1 virtual sensor traffic is passed how many times to IDSM-2.for Example in inline vlan pair mode.if i want to allow inter-vlan routing from vlan 100 to vlan 200.

INLINE VLAN PAIR: vlan 1 and vlan2 are real SVI interface and vlan 100 and vlan 200 are virtual just for pairing.

vlan 1 to 100

vlan 2 to 200

USER-PC SWITCH SVI SWITCH SVI USER-PC

vlan 100----IDSM--------int vlan1 SVI --- ----int vlan2 SVI-------IDSM----vlan 200

Please correct the above steps for traffic flow.from 1 vlan to another.I hope the traffic is passing 2 times to IDSM-2

ALSO

Question 4:I m also going to place IDSM-2 with FWSM,any different configuration or traffic flow will be the same, as it was hitting the switch SVI now it will hit to FWSM SVI

Thanks

rays · ‎08-25-2010

Hi, i came across this thread and i am finding it very useful I have a custmer who has an e-commerce environment which contains a 6509 service chassis, with 2x layers of FWSM, CSM/SSL and IDSM-2. The IDSM-2 has never been used but now there is a PCI compliance requirement to enable the module.

The information you have provided will help with the configuration, however, i have a question and probably a very simple one at that :-) what can be used to view the output of the ISDM-2? The customer is lookiing for as cheap a solution as possible, so that probably rules out CS-MARS.. What do most people use?

Also, the requirement is to only capture traffic destined to certain secure zones, i believe i can use VACLS or ACLs to only capture specified traffic, is that correct?

Any assistance would be great,

many thanks,

rays

Siddharth Chandrachud · ‎08-31-2010

Estela,

I am not sure if I understood your questions correctly.

This is difficult to explain by email.

Please go through the link below to understand difference between 'inline interface pair mode ' and inline vlan pair mode'

http://tools.cisco.com/squish/6F956

Question 1:The above RED HIGLIGHTED line is confusing me ,We can assign vlan's in inline Interface pair mode as u have suggested me to use in ur above mail??? If so, then can we use as much real vlan on port gig0/7 and as much virtual vlan on gig0/8,so that IDSM-2 will bridge between them.Uptill now what i m thinking is in inline interface pair mode supports only 1 set of vlan and that to they are access ports.

Answer:

Inline interface pair is used when IPS ports are connected to access ports , correct.

IDSM will bridge only 2 vlans in inline interface pair mode.

Remember, IDSM in inline interface pair mode has no notions of vlans as such.

The vlan assignment is done on the 6500 on ports connecting to the IDSM.

For IDSM, inline interface pair is like a wire connecting two ports.

Whatever comes in on one interface, send it out of the other.

The 6500 ports connecting to the ports on IDSM are access ports belonging in different vlans of the pair.

Hence IDSM in theory bridges 2 vlans together.

Question 2:ON what scenarios we need INLINE VLAN PAIR MODE THEN??

Inline vlan pair is roughly analogous to 'Router on a stick '

In inline vlan pair mode we have: One physical interface, and a pair of vlans per subinterface.

Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair.

You can have multiple sub-interface pairs on a single physical interface.

For a inline vlan pair mode, the IDSM port needs to be connected to a trunk port on the switch side.

The following example might make it easier to understand

E.g

Gig 0/7 - Physical interface

Inline vlan pair #1

sub interface 1

vlan 10

vlan 20

Inline vlan pair #2

sub interface 2

Vlan 30

Vlan 40

On 6500 switch, data-port 1 connects to gig0/7 over backplane.

data-port 1 needs to be a trunk port.

When traffic in vlan 10 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 20

When traffic in vlan 20 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 10

Sub interface 1 is used to associate the pair of vlans 10 and 20 to physical interface gig0/7

When traffic in vlan 30 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 40

When traffic in vlan 40 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 30

Sub interface 2 is used to associate the pair of vlans 130 and 40 to physical interface gig0/7

Question 3: In 1 virtual sensor traffic is passed how many times to IDSM-2.for Example in inline vlan pair mode.if i want to allow inter-vlan routing from vlan 100 to vlan 200.

I did not understand the question. For inline interface pair, traffic flows through virtual sensor once for each direction.

From x > y one.

From y back to > x two.

Go through the design document I wrote and take a look at the packet walk for arp.

https://supportforums.cisco.com/docs/DOC-12206

INLINE VLAN PAIR: vlan 1 and vlan2 are real SVI interface and vlan 100 and vlan 200 are virtual just for pairing.

vlan 1 to 100

vlan 2 to 200

USER-PC SWITCH SVI SWITCH SVI USER-PC

vlan 100----IDSM--------int vlan1 SVI --- ----int vlan2 SVI-------IDSM----vlan 200

Please correct the above steps for traffic flow.from 1 vlan to another.I hope the traffic is passing 2 times to IDSM-2

Switch cannot have SVI for 2 vlans. It will do intervlan routing directly without the packet ever going through the IDSM.

We need one ip subnet, 2 vlans, and SVI only on one of them.

Check " Normal intervlan routing " on the design doc: https://supportforums.cisco.com/docs/DOC-12206

ALSO

Question 4:I m also going to place IDSM-2 with FWSM,any different configuration or traffic flow will be the same, as it was hitting the switch SVI now it will hit to FWSM SVI

E.g scenario:

Well say, inside vlan is 100 and outside vlan is 200.

All hosts reside in inside vlan 100.

Outside artificial vlan 200 is created to force traffic to go through IDSM.

Then vlan 100 and vlan 200 share same common ip subnet.

SVI only exists on vlan 200.

6500 data port 1 is access port in vlan 100

6500 data port 2 is access port in vlan 200

IDSM gig0/7-gig0/8 are a inline interface pair.

IDSM bridges vlan 100 & 200 together.

Default gateway for all hosts in vlan 100 and 200 is SVI for 200.

This SVI can be placed on FWSM, and FWSM can be put it routing mode.

That way traffic is forced to go through to the FWSM after it passes through the IDSM and back to the switch.

Sid Chandrachud

TAC Security Solutions

Siddharth Chandrachud · ‎08-31-2010

Hi Rays,

To answer your question:

1. To view events one can use IPS devuce manager or IDM which is the web gui for IDSM.

To access IDSM

https://

Click monitoring > events

2. You can also install IPS manager express (free software) from cisco.com

This can be used to configure IDSM and view the events.

IME can be downloaded here:

http://tools.cisco.com/squish/0dbB3

3. To send traffic to IDSM two methods can be used

SPAN

or

Vacl Capture

Both configurations are listed here:

http://tools.cisco.com/squish/4DDA3

Sid Chandrachud

TAC Security Solutions

rays · ‎09-02-2010

Thanks for the information Sid.

WIth the options you have mentioned, do you know how long the event logs are kept for? The customer has to meet PCI DSS

compliance and one of requirements is that logged information is kept for a period of time..

thanks

rays

Siddharth Chandrachud · ‎09-02-2010

a. IDM is not meant for event storage.

IDM is displaying events from IPS's own event store which is limited and gets overwritten.

b. IME is a software installed on a p.c which can configure IPS and also store events from it.

It installs a version of MYSQL

c. IME stores events in a event file.

Each event file has a max event capacity of 1 million events.

IME can archive max 400 such events files.

So 400 archive files each having 1 million events each is the number of events that can be stored on IME.

To view the files:

\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\data\alarmDB

d. For a comprehensive event storage solution you can look to something like Mars which can store all events on a NFS share.

Or IPS is also a SDEE client. So an external SDEE server can log into IPS and grab events from it. Event storage then depends on the capacity of the SDEE server. Check out my document about SDEE and IPS:

https://supportforums.cisco.com/docs/DOC-12515

Sid Chandrachud

TAC Security Solutions