I'm trying to understand if a CSS11500 can prevent any attack on a WEB server. The goal is to have a WEB server to provide Internet services http and https.
My concern is that server is currently inside out network and not in a DMZ. Even though traffic would pass thru a firewall because port 80 is not inspected by the firewall for virus, worm or any other attack, would the CSS be enough to garantee that My web server is safe. Or would you recommend that the WEB server be place in a DMZ instead.
My other concern is that with this setup even if I have an intrusion monitoring device because the CSS passes the attack to the WEB server I won't have time to react.
If I wanted to have the WEB server inside anyway is there an other setup that we can think of that would give me time with my ISS to detect that an attack is going on.
The primary purpose of the CSS isn't security, so I probably wouldn't recommend that you rely solely on the CSS for security. That being said, the CSS does include a number of security features that can help enhance the security posture of your web site. You can find more information about the CSS security features here:
I agree with Zach that the CSS is not able to do the jobs you want it to do.
The CSS is only capabel of preventing DoS attacks like SYN Floods and so on but it is not capable to inspect traffic like an IDS does (e.g mal formed URLs). In your case I would either suggest a server based IDS or a network based IDS depending on the skills and knowledge of your IT-guys.
Another possibility depending on the complexetiy of your webservice would be a reverse proxy which is only forwarding correct and wanted URLs.
For inspectiong HTTPS traffic I would suggest SSL-Offloading and than the options described above.
Why do you need native HA: The native HA feature allows two Cisco DCNM
appliances to run as active and standby applications, with their
embedded databases synchronized in real time. Therefore, when the active
DCNM is not functioning, the standby DCNM will...
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...