11-14-2005 04:05 AM - edited 03-10-2019 01:45 AM
Hi experts,
Since it's possible to implement some IDS functionality on routers and PIX's, in addition to IDS's, in a network where all 3 of these devices exist, is there any benefit to implementing some IDS functionality on PIX's and/or routers?
And, if so, what factors should be considered in deciding which signatures are enabled on which device?
In this type of scenario, what are considered Best Practices?
Thanks so much
Solved! Go to Solution.
11-14-2005 08:03 AM
It is possible to do what you are asking. Note that the signature set on the IPS appliance is a larger, more complete set than the other devices. The exact mix would depend on your network configuration. I'd suggest an increasingly finer granularity of inspection the closer you get to your inside network. For example, the PIX can perform basic firewall duties and filter most of your low level sweeps, floods and general port probing. Some routers are good for rate limiting, traffic shaping, etc. Then the IPS can inspect the flows that make it through that gauntlet, concentrating on just the traffic that could do you harm (out of all that hits your front door firewall). Of course, thats just one scenario. Some people can't stand not knowing whats trying to hit them at the front door. Others don't want the hassle of trying to piece together logs from three different pieces of equipment so they put things in different orders, like IPS, PIX, IOS. Another axis for exploration is which device you might want to use as a blocking device, the PIX or the IOS router (or the IPS in the case of inline mode operation).
Cisco refers to the SAFE network architecture blueprint as a working starting point. The entire library of SAFE white papers can be found here:
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html
11-14-2005 08:03 AM
It is possible to do what you are asking. Note that the signature set on the IPS appliance is a larger, more complete set than the other devices. The exact mix would depend on your network configuration. I'd suggest an increasingly finer granularity of inspection the closer you get to your inside network. For example, the PIX can perform basic firewall duties and filter most of your low level sweeps, floods and general port probing. Some routers are good for rate limiting, traffic shaping, etc. Then the IPS can inspect the flows that make it through that gauntlet, concentrating on just the traffic that could do you harm (out of all that hits your front door firewall). Of course, thats just one scenario. Some people can't stand not knowing whats trying to hit them at the front door. Others don't want the hassle of trying to piece together logs from three different pieces of equipment so they put things in different orders, like IPS, PIX, IOS. Another axis for exploration is which device you might want to use as a blocking device, the PIX or the IOS router (or the IPS in the case of inline mode operation).
Cisco refers to the SAFE network architecture blueprint as a working starting point. The entire library of SAFE white papers can be found here:
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide