Solved: Sharing the IDS/IPS Load

jimmi1015 · ‎11-14-2005

Hi experts,

Since it's possible to implement some IDS functionality on routers and PIX's, in addition to IDS's, in a network where all 3 of these devices exist, is there any benefit to implementing some IDS functionality on PIX's and/or routers?

And, if so, what factors should be considered in deciding which signatures are enabled on which device?

In this type of scenario, what are considered Best Practices?

Thanks so much

scothrel · ‎11-14-2005

It is possible to do what you are asking. Note that the signature set on the IPS appliance is a larger, more complete set than the other devices. The exact mix would depend on your network configuration. I'd suggest an increasingly finer granularity of inspection the closer you get to your inside network. For example, the PIX can perform basic firewall duties and filter most of your low level sweeps, floods and general port probing. Some routers are good for rate limiting, traffic shaping, etc. Then the IPS can inspect the flows that make it through that gauntlet, concentrating on just the traffic that could do you harm (out of all that hits your front door firewall). Of course, thats just one scenario. Some people can't stand not knowing whats trying to hit them at the front door. Others don't want the hassle of trying to piece together logs from three different pieces of equipment so they put things in different orders, like IPS, PIX, IOS. Another axis for exploration is which device you might want to use as a blocking device, the PIX or the IOS router (or the IPS in the case of inline mode operation).

Cisco refers to the SAFE network architecture blueprint as a working starting point. The entire library of SAFE white papers can be found here:

http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html

View solution in original post

scothrel · ‎11-14-2005

It is possible to do what you are asking. Note that the signature set on the IPS appliance is a larger, more complete set than the other devices. The exact mix would depend on your network configuration. I'd suggest an increasingly finer granularity of inspection the closer you get to your inside network. For example, the PIX can perform basic firewall duties and filter most of your low level sweeps, floods and general port probing. Some routers are good for rate limiting, traffic shaping, etc. Then the IPS can inspect the flows that make it through that gauntlet, concentrating on just the traffic that could do you harm (out of all that hits your front door firewall). Of course, thats just one scenario. Some people can't stand not knowing whats trying to hit them at the front door. Others don't want the hassle of trying to piece together logs from three different pieces of equipment so they put things in different orders, like IPS, PIX, IOS. Another axis for exploration is which device you might want to use as a blocking device, the PIX or the IOS router (or the IPS in the case of inline mode operation).

Cisco refers to the SAFE network architecture blueprint as a working starting point. The entire library of SAFE white papers can be found here:

http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html