Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS design setup

I'm trying to understand if a CSS11500 can prevent any attack on a WEB server. The goal is to have a WEB server to provide Internet services http and https.

My concern is that server is currently inside out network and not in a DMZ. Even though traffic would pass thru a firewall because port 80 is not inspected by the firewall for virus, worm or any other attack, would the CSS be enough to garantee that My web server is safe. Or would you recommend that the WEB server be place in a DMZ instead.

My other concern is that with this setup even if I have an intrusion monitoring device because the CSS passes the attack to the WEB server I won't have time to react.

If I wanted to have the WEB server inside anyway is there an other setup that we can think of that would give me time with my ISS to detect that an attack is going on.

Thanks

2 REPLIES
Bronze

Re: CSS design setup

Michel,

The primary purpose of the CSS isn't security, so I probably wouldn't recommend that you rely solely on the CSS for security. That being said, the CSS does include a number of security features that can help enhance the security posture of your web site. You can find more information about the CSS security features here:

http://cisco.com/en/US/products/hw/contnetw/ps789/products_white_paper09186a00800921a6.shtml

In terms of IDS deployment, you should consider placing a sensor both in front and behind your firewall. You can find more detailed IDS placement information here:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

~Zach

Bronze

Re: CSS design setup

Hi,

I agree with Zach that the CSS is not able to do the jobs you want it to do.

The CSS is only capabel of preventing DoS attacks like SYN Floods and so on but it is not capable to inspect traffic like an IDS does (e.g mal formed URLs). In your case I would either suggest a server based IDS or a network based IDS depending on the skills and knowledge of your IT-guys.

Another possibility depending on the complexetiy of your webservice would be a reverse proxy which is only forwarding correct and wanted URLs.

For inspectiong HTTPS traffic I would suggest SSL-Offloading and than the options described above.

Regards,

Joerg

104
Views
0
Helpful
2
Replies
CreatePlease to create content