Assistance required for deploying IDS 4230 network sensor
We have a web server hosting setup at one of the IDC.
All the web servers are having public IP assigned to them.
Topology is such that all my traffic going out from IDC as well as traffic coming in from outside world (Internet) goes through PIX 525 firewall configured in a failover mode.
PIX firewall in turn is connected to one of the catalyst switch 3500XL, there are two of them configured in a cluster mode.
We also have catalyst 2900XL switches to which web servers are connected.
IP addressing wise we have one segment behind firewall (203.199.124.X/26 for web servers) PIX is on 203.199.64.X/28 subnet.
Problem is we have single IDS 4230 appliance which we want to insert in the setup to monitor all the network traffic coming to servers and outgoing traffic from servers.
How do we proceed :-
1) What all needs to be done do we require to set IP address to both monitoring as well as command and control interface or to only command and control interface.
2) IDS 4230 is connected to one of the 2900 XL switches on which all the servers are connected , do we need to do any SPAN configuration on the switch or will the IDS by default monitor all the traffic coming in and going out of all the ports on the switch.
3) We have loaded the latest signature on the IDS , how do we manage it using Unix director or cisco secure policy manager which is the best option and how will be the configuration for the same.
4) We also require to manage the IDS remotely from public network.
Any suggestion/configuration advice will be appreciated.
2) Yes, you'll need a SPAN. The IDS can only monitor whatever is fed to the monitoring interface. If the IDS sensor's monitoring interface is connected to a regular switch port, you'll end up monitoring only broadcast / multicast messages. Information on configuring a SPAN port can be found here: http://www.cisco.com/warp/public/473/41.html
3) You'll need to clarify what you mean by "latest signature" for me.
If you're referring to IDS-sig-4.1-3-S77 (latest available signature as of the date of your post), then you won't be able to use either Unix Director or CSPM. You'll have to use either VMS Basic or IDM / IEV to configure and monitor the sensor. If you're referring to IDS-sig-3.1-5-S74, then you'll be able to use either of the platforms you mentioned, but you're not what I'd consider "up-to-date" by any stretch of the imagination
4) Remote management of an IDS sensor is a touchy subject. The quick answer is VPN, but that doesn't properly address the issue, IMNSHO.
Most IDS infrastructures involve monitoring a specific set of network segments while the IDS configuration and event data passage is accomplished via dedicated, out-of-band management network connections. If your IDS sensors are geographically distributed, this becomes a bit tricky. Quite often, in-band connections on private (internal) networks will be used to manage the sensors. If you absolutely must access the IDS management interface from a "public network" (do you mean the Internet BTW?), I suggest you use VPN, but how you implement that solution is beyond the scope of my reply I'm afraid...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...