Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
2
Replies

CSS design setup

mdlv
Level 1
Level 1

‎02-25-2004 04:03 PM

I'm trying to understand if a CSS11500 can prevent any attack on a WEB server. The goal is to have a WEB server to provide Internet services http and https.

My concern is that server is currently inside out network and not in a DMZ. Even though traffic would pass thru a firewall because port 80 is not inspected by the firewall for virus, worm or any other attack, would the CSS be enough to garantee that My web server is safe. Or would you recommend that the WEB server be place in a DMZ instead.

My other concern is that with this setup even if I have an intrusion monitoring device because the CSS passes the attack to the WEB server I won't have time to react.

If I wanted to have the WEB server inside anyway is there an other setup that we can think of that would give me time with my ISS to detect that an attack is going on.

Thanks

Labels:
0 Helpful
2 Replies 2

seilsz
Level 4
Level 4

‎02-25-2004 05:55 PM

Michel,

The primary purpose of the CSS isn't security, so I probably wouldn't recommend that you rely solely on the CSS for security. That being said, the CSS does include a number of security features that can help enhance the security posture of your web site. You can find more information about the CSS security features here:

http://cisco.com/en/US/products/hw/contnetw/ps789/products_white_paper09186a00800921a6.shtml

In terms of IDS deployment, you should consider placing a sensor both in front and behind your firewall. You can find more detailed IDS placement information here:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

~Zach

0 Helpful

jfoerster
Level 4
Level 4
In response to seilsz

‎02-26-2004 02:05 AM

Hi,

I agree with Zach that the CSS is not able to do the jobs you want it to do.

The CSS is only capabel of preventing DoS attacks like SYN Floods and so on but it is not capable to inspect traffic like an IDS does (e.g mal formed URLs). In your case I would either suggest a server based IDS or a network based IDS depending on the skills and knowledge of your IT-guys.

Another possibility depending on the complexetiy of your webservice would be a reverse proxy which is only forwarding correct and wanted URLs.

For inspectiong HTTPS traffic I would suggest SSL-Offloading and than the options described above.

Regards,

Joerg

0 Helpful
Customers Also Viewed These Support Documents