Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Basic IDS module setup

I have a few basic setup questions to ask about an IDS module in a 3725 router.

(NM-CIDS)

1. The interface of the module has to be configured as a normal interface just like any other fast ethernet interface. If so, how do I access the web config of the sensor? I can’t give the sensor an ip address on the same subnet as an other interface, so I would have to create a VLAN on my switch and install a new network card on a computer just to access the sensor?

2. I want to use the sensor to monitor my internet connection. My internet come in on the router where the sensor is, but not on the sensor interface. So I added the line : ids-service-module monitoring on the internet interface. I’m now assuming that the sensor monitors that interface, but it can’t block any ips on it can it? Can I use the sensor’s interface as my internet connection? Will it route all the traffic back to the router like any other interface?

3. If the sensor as to be on it’s own subnet, I can’t get the licensing to auto update, since that new subnet as no access to the internet.

I must admit, I a bit confused as the basic setup of that module, the documentation is clear on how to set it up and I have done that, I even upgraded the sensor to version 5.0, but the basic idea behind it and basic setup is not clear, it does not tell me the reasons for the separate subnet.

Can someone guide me in the right direction?

My goal is to setup the sensor for the company’s internet connection that is currently connected to a fast ethernet on the router and send events to a syslog server that I am monitoring.

Thanks

Bernard Magny

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Basic IDS module setup

The NM-CIDS has 2 interfaces you have to deal with.

The internal interface on the router's backplane, and an external interface that you can plug a wire in to.

In addition there is a router interface on the router backplane for the NM-CIDS. This router backplane interface, and the internal interface of the NM-CIDS can be considered hardwired together.

The easiest way to think of the NM-CIDS is to consider it a PC that sits inside the router.

It can easily be compared to a IDS appliance.

The internal interface of the NM-CIDS is the sniffing interface. The NM-CIDS does not give this internal interface an IP. It is used only for receiving packets from the router for monitoring and sending back TCP Resets.

The router has it's backplane interface that corresponds to this NM-CIDS internal sniffing interface. You will need to apply an IP Address to the router interface for the NM-CIDS, but no traffic will ever actually be "routed" to it. So most users will either assign a non-routable address or loopback address, or have it share an address with one of the other interfaces of the router.

This address will NOT be used to configure or control the NM-CIDS so using a nonroutable loopback address is often the easiest thing to do.

This router interface and NM-CIDS backplane interface can best be compared to a span port on a switch being monitored by an appliance.

The "ids" command applied to a physical interface of the router is like "spanning" that interface.

The "spanned" traffic gets copied to the "span" destination port which is the router backplane interface for the NM-CIDS. Once these packets are copied onto the router backplane to the NM-CIDS slot, then the NM-CIDS internal port will sniff and analyze the packets.

So the real packet comes in one interface of the router and gets "routed" to another interface of the other. If there is an "ids" command on either of these 2 interfaces then those packets will also be copied ("spanned") to the NM-CIDS for monitoring. So the NM-CIDS amd the corresponding router backplane interface are not in the path of the packet and are only getting a copy of the packet.

NOTE: Technically the packet is not "spanned" because "spanning" is only supported in a switch, but most users understand the concept. And the concept is what I am trying to get across.

Now the external port of the NM-CIDS is the command and control port. This is where you have assigned an IP. Understand that this is NOT a router interface. It will not participate in routing protocols. Any packets destined to this port will stop at the NM-CIDS.

This port is best compared with the command and control port of an IDS appliance sensor. The port address is used only to talk directly to that IDS sensor.

So what address to assign it?

The best method is to give it an address on your most secure internal network, and phsyically plug into that network just like you would any other PC (or the command and control port of an IDS appliance).

Since this interface of the NM-CIDS is not a router interface and does NOT participate in routing, then it is OK for the router itself to have an interface on the same subnet and be plugged into the same switch and the same vlan as the NM-CIDS external command and control interface. In fact that is exactly what most users do. In addition the router's IP on that subnet is generally the default gateway configured on the NM-CIDS for it's command and control interface. If you think of the NM-CIDS as a PC then this makes sense.

Some customers may have a special network for managing their security devices (typically only large enterprises). In these scenarios the NM-CIDS command and control might be placed on a network that is not even routable by the router in which it has been placed. This is pretty rare, but is possible to do.

2 REPLIES
Cisco Employee

Re: Basic IDS module setup

The NM-CIDS has 2 interfaces you have to deal with.

The internal interface on the router's backplane, and an external interface that you can plug a wire in to.

In addition there is a router interface on the router backplane for the NM-CIDS. This router backplane interface, and the internal interface of the NM-CIDS can be considered hardwired together.

The easiest way to think of the NM-CIDS is to consider it a PC that sits inside the router.

It can easily be compared to a IDS appliance.

The internal interface of the NM-CIDS is the sniffing interface. The NM-CIDS does not give this internal interface an IP. It is used only for receiving packets from the router for monitoring and sending back TCP Resets.

The router has it's backplane interface that corresponds to this NM-CIDS internal sniffing interface. You will need to apply an IP Address to the router interface for the NM-CIDS, but no traffic will ever actually be "routed" to it. So most users will either assign a non-routable address or loopback address, or have it share an address with one of the other interfaces of the router.

This address will NOT be used to configure or control the NM-CIDS so using a nonroutable loopback address is often the easiest thing to do.

This router interface and NM-CIDS backplane interface can best be compared to a span port on a switch being monitored by an appliance.

The "ids" command applied to a physical interface of the router is like "spanning" that interface.

The "spanned" traffic gets copied to the "span" destination port which is the router backplane interface for the NM-CIDS. Once these packets are copied onto the router backplane to the NM-CIDS slot, then the NM-CIDS internal port will sniff and analyze the packets.

So the real packet comes in one interface of the router and gets "routed" to another interface of the other. If there is an "ids" command on either of these 2 interfaces then those packets will also be copied ("spanned") to the NM-CIDS for monitoring. So the NM-CIDS amd the corresponding router backplane interface are not in the path of the packet and are only getting a copy of the packet.

NOTE: Technically the packet is not "spanned" because "spanning" is only supported in a switch, but most users understand the concept. And the concept is what I am trying to get across.

Now the external port of the NM-CIDS is the command and control port. This is where you have assigned an IP. Understand that this is NOT a router interface. It will not participate in routing protocols. Any packets destined to this port will stop at the NM-CIDS.

This port is best compared with the command and control port of an IDS appliance sensor. The port address is used only to talk directly to that IDS sensor.

So what address to assign it?

The best method is to give it an address on your most secure internal network, and phsyically plug into that network just like you would any other PC (or the command and control port of an IDS appliance).

Since this interface of the NM-CIDS is not a router interface and does NOT participate in routing, then it is OK for the router itself to have an interface on the same subnet and be plugged into the same switch and the same vlan as the NM-CIDS external command and control interface. In fact that is exactly what most users do. In addition the router's IP on that subnet is generally the default gateway configured on the NM-CIDS for it's command and control interface. If you think of the NM-CIDS as a PC then this makes sense.

Some customers may have a special network for managing their security devices (typically only large enterprises). In these scenarios the NM-CIDS command and control might be placed on a network that is not even routable by the router in which it has been placed. This is pretty rare, but is possible to do.

New Member

Re: Basic IDS module setup

About wanting to send the events to a syslog server, see James' previous response posted in this forum:

Replied by: jamesand - Sep 14, 2005, 2:58pm PST

The IDS/IPS sensors (4.x and 5.x) do not serve syslog messages. Starting with 4.0, the mechanism for pulling events from the sensor is the RDEP XML/http interface (that IEV, MC secmon, and other 3rdparty apps use). To solve your design issue, you would have to write a converter application that pulls events from the sensor using RDEP and then serves them up as syslog messages.

228
Views
5
Helpful
2
Replies
CreatePlease to create content