I am currently planning on implementation of 4360 IDS system that will not be inline but monitoring the data VLAN on a switch. Someone asked me if I was going to create a blacklist and a whitelist for the IDS. Would that even be worth creating such lists if the device is not going to be inline with data flows? And they also stated that Cisco, when they push out new IPS/IDS signatures, that they have a default blacklist/whitelist within the code of the signatures. Is that correct?
You can opt for your IPS/IDS to participate in the CIsco Global Correlation Network. This will send some of your traffic statistics to a centralized location for analysis and policies will be created and distributed to IPS/IDS globally. This includes blacklisting certain IP addresses.
As for creating a whitelist/blacklist for your specific IDS, you can add hosts to a "Never Block" list. Typically, this is reserved for your NMS since its polling can be perceived as scanning. Your colleague may be talking about zones. The IDS allows multiple zones (internal, external, DMZ) with different policies assigned to each.
I was wondering though would a blacklist/whitelist be beneficial since our implementation of the IDS is not inline to the data flow? The IDS implementation that we were approved to do is monitoring a switch port that is is OOB. So if there were a blacklist/whitelist implemented on the IDS then it will be worthless because it will not be able block or allow that traffic flow, correct?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :