11-28-2006 06:45 AM - edited 03-10-2019 03:20 AM
I have got at work this sensor with two interfaces only, I have been asked to check that
IDSWORK# show version
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47
OS Version 2.4.18-5smpbigphys-4215
Platform: IDS-4215
one interface which is Ethernet 0 connected to switch in DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor DMZ zone not switch 4005 (since I have got only two interfaces, my case),,,Am I right ?
That means Ethernet 0 should be for sniffing (monitoring)since it is connected to DMZ,and interface 1 for command and control since it is connected to 4005 switch, but according to cisco specification
Table 5-2
FastEthernet0/0: Interfaces Supporting Inline VLAN Pairs (Sensing Ports)
FastEthernet0/1: Interfaces Not Supporting Inline (Command and Control Port)
Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet ,,,,does make any difference ?
Since I have not done that configuration , it has been done by some one else, do I need to change that ?
Solved! Go to Solution.
11-28-2006 07:23 AM
Looks like your IDS come with basic ports (2 x Ethernet) with E0 as C&C port, while E1 is monitoring port.
BTW, Ethernet/FastEthernet ports are actually the same.
To monitor your DMZ segment, place the E1 in that segment, while E0 on inside segment where besides direct managing the box from its web management GUI or CLI, you can probably can use basic VMS that is bundled free with it.
And since you have dedicated switch to host the whole DMZ segment, you can easily monitor (SPAN) the whole box and send all traffic to IDS.
Whether or not you need to change the config, you probably need to check it out, at least to verify which signature(s) is enabled/disabled, and pc/mgt host is allowed to access the box and so on. But it's a good practise to check and review the config/setup again as this is a security box that you need to trust to monitor and tell you about any possible threats, attacks or violations.
HTH
AK
11-28-2006 07:23 AM
Looks like your IDS come with basic ports (2 x Ethernet) with E0 as C&C port, while E1 is monitoring port.
BTW, Ethernet/FastEthernet ports are actually the same.
To monitor your DMZ segment, place the E1 in that segment, while E0 on inside segment where besides direct managing the box from its web management GUI or CLI, you can probably can use basic VMS that is bundled free with it.
And since you have dedicated switch to host the whole DMZ segment, you can easily monitor (SPAN) the whole box and send all traffic to IDS.
Whether or not you need to change the config, you probably need to check it out, at least to verify which signature(s) is enabled/disabled, and pc/mgt host is allowed to access the box and so on. But it's a good practise to check and review the config/setup again as this is a security box that you need to trust to monitor and tell you about any possible threats, attacks or violations.
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide