Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
4
Helpful
1
Replies

IDS 4215, right place for a sniffing interface (DMZ or LAN)

Go to solution
zillah2004
Level 1
Level 1

‎11-28-2006 06:45 AM - edited ‎03-10-2019 03:20 AM

I have got at work this sensor with two interfaces only, I have been asked to check that

IDSWORK# show version

Application Partition:

Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47

OS Version 2.4.18-5smpbigphys-4215

Platform: IDS-4215

one interface which is Ethernet 0 connected to switch in DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor DMZ zone not switch 4005 (since I have got only two interfaces, my case),,,Am I right ?

That means Ethernet 0 should be for sniffing (monitoring)since it is connected to DMZ,and interface 1 for command and control since it is connected to 4005 switch, but according to cisco specification

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1051279

Table 5-2

FastEthernet0/0: Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

FastEthernet0/1: Interfaces Not Supporting Inline (Command and Control Port)

Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet ,,,,does make any difference ?

Since I have not done that configuration , it has been done by some one else, do I need to change that ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎11-28-2006 07:23 AM

Looks like your IDS come with basic ports (2 x Ethernet) with E0 as C&C port, while E1 is monitoring port.

BTW, Ethernet/FastEthernet ports are actually the same.

To monitor your DMZ segment, place the E1 in that segment, while E0 on inside segment where besides direct managing the box from its web management GUI or CLI, you can probably can use basic VMS that is bundled free with it.

And since you have dedicated switch to host the whole DMZ segment, you can easily monitor (SPAN) the whole box and send all traffic to IDS.

Whether or not you need to change the config, you probably need to check it out, at least to verify which signature(s) is enabled/disabled, and pc/mgt host is allowed to access the box and so on. But it's a good practise to check and review the config/setup again as this is a security box that you need to trust to monitor and tell you about any possible threats, attacks or violations.

HTH

AK

View solution in original post

1 Reply 1

Go to solution
a.kiprawih
Level 7
Level 7

‎11-28-2006 07:23 AM

Looks like your IDS come with basic ports (2 x Ethernet) with E0 as C&C port, while E1 is monitoring port.

BTW, Ethernet/FastEthernet ports are actually the same.

To monitor your DMZ segment, place the E1 in that segment, while E0 on inside segment where besides direct managing the box from its web management GUI or CLI, you can probably can use basic VMS that is bundled free with it.

And since you have dedicated switch to host the whole DMZ segment, you can easily monitor (SPAN) the whole box and send all traffic to IDS.

Whether or not you need to change the config, you probably need to check it out, at least to verify which signature(s) is enabled/disabled, and pc/mgt host is allowed to access the box and so on. But it's a good practise to check and review the config/setup again as this is a security box that you need to trust to monitor and tell you about any possible threats, attacks or violations.

HTH

AK

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card