Re: Encrypted traffic though IDSM-2

nkariyawasam · ‎11-14-2008

We have an IDSM-2 installation on 6500 switch. There is an ATM switch resides inside the data center. The branch ATMs having encrypted tunnel up to the ATM switch via IDSM-2 ( in-line mode).

1. How does the IDSM-2 will analyze this traffic ?

2. Is there nay effect on this traffic when we send it thorough IDSM-2 ?

Thanks,

rhermes · ‎11-14-2008

If you're sending an encrypted tunnel thru your IDSM, then the IDSM will not be able to perform any detection on the encrypted portion of the data.

The encrypted packet load will have some effect on the load of the sensor.

Farrukh Haroon · ‎11-16-2008

The IDSM can't do much with the encrypted traffic.

If you require to monitor this traffic, you have to redesign your network to ensure that the IDS sees the post-decrypted traffic/pre-encrypted traffic.

Regards

Farrukh

nkariyawasam · ‎11-16-2008

Hi,

Thanks for the answer. Asusming that the IDSM-2 is deployed in in-line mode, does it allow encrypted traffic to flow ( even without analyzing) ?

Or does it blocks the traffic that it can't analyzed ?

Farrukh Haroon · ‎11-16-2008

It will usually let it pass :).

There are some signatures in Cisco IPS software that have 'deny' actions by default, specially those pertaining to TCP normalization, you can either remove their deny action or monitor the network closely for any hickups.

Regards

Farrukh