Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Assistance required for deploying IDS 4230 network sensor

Dear Sir,

We have a web server hosting setup at one of the IDC.

All the web servers are having public IP assigned to them.

Topology is such that all my traffic going out from IDC as well as traffic coming in from outside world (Internet) goes through PIX 525 firewall configured in a failover mode.

PIX firewall in turn is connected to one of the catalyst switch 3500XL, there are two of them configured in a cluster mode.

We also have catalyst 2900XL switches to which web servers are connected.

IP addressing wise we have one segment behind firewall (203.199.124.X/26 for web servers) PIX is on 203.199.64.X/28 subnet.

Problem is we have single IDS 4230 appliance which we want to insert in the setup to monitor all the network traffic coming to servers and outgoing traffic from servers.

How do we proceed :-

1) What all needs to be done do we require to set IP address to both monitoring as well as command and control interface or to only command and control interface.

2) IDS 4230 is connected to one of the 2900 XL switches on which all the servers are connected , do we need to do any SPAN configuration on the switch or will the IDS by default monitor all the traffic coming in and going out of all the ports on the switch.

3) We have loaded the latest signature on the IDS , how do we manage it using Unix director or cisco secure policy manager which is the best option and how will be the configuration for the same.

4) We also require to manage the IDS remotely from public network.

Any suggestion/configuration advice will be appreciated.

Regards

Deepak

1 REPLY
Bronze

Re: Assistance required for deploying IDS 4230 network sensor

You have a bunch of questions here, some which are easily answered, some not. Here are my suggestions, in the order of your original post:

1) An IP will only be required for the "command and control interface" and not for the "monitoring" one. Setup will depend on which version of the IDS software you intend to use...

If you're using 4.1 and you have a valid support contract, you're good to go. If you're using 3.1, then you're going find yourself unsupported (see this URL: http://www.cisco.com/en/US/products/sw/secursw/ps5052/prod_eol_notice09186a008017db62.html)

Also, you might want to consider having the IDS-4230 replaced with an IDS-4235. FYI, there is a recall on the IDS-4230 due to a malfunctioning component on the mainboard (see this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a00801850de.shtml)

2) Yes, you'll need a SPAN. The IDS can only monitor whatever is fed to the monitoring interface. If the IDS sensor's monitoring interface is connected to a regular switch port, you'll end up monitoring only broadcast / multicast messages. Information on configuring a SPAN port can be found here: http://www.cisco.com/warp/public/473/41.html

3) You'll need to clarify what you mean by "latest signature" for me.

If you're referring to IDS-sig-4.1-3-S77 (latest available signature as of the date of your post), then you won't be able to use either Unix Director or CSPM. You'll have to use either VMS Basic or IDM / IEV to configure and monitor the sensor. If you're referring to IDS-sig-3.1-5-S74, then you'll be able to use either of the platforms you mentioned, but you're not what I'd consider "up-to-date" by any stretch of the imagination

4) Remote management of an IDS sensor is a touchy subject. The quick answer is VPN, but that doesn't properly address the issue, IMNSHO.

Most IDS infrastructures involve monitoring a specific set of network segments while the IDS configuration and event data passage is accomplished via dedicated, out-of-band management network connections. If your IDS sensors are geographically distributed, this becomes a bit tricky. Quite often, in-band connections on private (internal) networks will be used to manage the sensors. If you absolutely must access the IDS management interface from a "public network" (do you mean the Internet BTW?), I suggest you use VPN, but how you implement that solution is beyond the scope of my reply I'm afraid...

Hope this helps,

Alex

81
Views
0
Helpful
1
Replies
CreatePlease to create content