I have some questions regarding the ids module. A router is connected to the internet and is using the software firewall. There is also a NM-CIDS in the router.
1) What is the sequence when a packet arrives from the internet?
Is it internet -> firewall -> ids?
2) Does the command "ids-service module monitoring" imply that traffic is sent to the IDS inbound and outbound?
3) The event viewer in the IDM shows a lot of events. Does it mean that the firewall is not dropping the packets? Is the IDM the only place to monitor the events or can they be sent to a syslog server?
4) In case there is an event, what can the module do to block the attack since it is not in line?
That depends on how you configured the IDS/IPS to work on. If it is promicious mode means, internet --> firewall (a copy of packet is sent to IDS for scanning of vulnerability in it) or if it is inline mode, internet --> IPS --> firewall, packet scanned by IPS will be send it to firewall for further processing.
1) If there is no encryption then the packet is copied to the NM-CIDS after all router features (including firewall as well as NAT/PAT) have been done. I am about 90% sure on this. There is the possibility of a few features being done after the copy that I may not know about.
If NAT has been done then the packet itself will have the translated ips, however, the packet has an additional headers that tells the NM-CIDS wha the untranslated IPs are, and the analysis and alerting is done with the untranslated ips from the additional header.
When there is encryption involved, then incoming decryption is done with all other router features before copying to the NM-CIDS. But the outgoing encryption is the one feature done on the packet After it is copied to the NM-CIDS. This way the NM-CIDS always gets copies of unencrypted packets.
2) The command on an interface implies that all traffic coming in as well as traffic going out will be copied to the Nm-CIDS.
3) If IDM shows alerts, then I am pretty sure this means that they are making it through the firewall features (not being dropped) and making it to the other network.
I recommend using IEV for monitoring the alerts if you have a small number of sensors.
If you have a large number of sensors then I would recommend CS-MARS for monitoring.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...