Doubts - IDS Sensor (Inside)

senthil · ‎12-14-2001

Hi all

I hv good handson in IDS Sensors.but i have some elementry doubts.

I would appreciate if anyone could give me a detailed explanation or

any links on the following -:))

1) Whatz the traffic monitoring capacity (25MBps / 100MBps) in Sensor ?? How does it matter in design perspective ??

2) Whatz the sequence (down from sniffing level) of "TCP Reset" action &

Howz it triggered ??

3) How good the CAT6K IDSM can safeguard the high volume of traffic (32GBps of

backplane capacity) ??

Thanx in advance

Senthil

marcabal · ‎12-17-2001

IDS-4210 - Appliance - has a 10/100 Mbps monitoring interface, but the appliance is only rated to monitor up to 45 Mbps.

IDS-4230 - Appliance - has a 10/100 Mbps monitoring interface; the appliance is rated to monitor 100 Mbps.

WS-x6381-IDS - IDSM - IDS Module for the Catalyst 6000 Switch - has an internal Gig monitoring interface connected to the backplae of the switch, but it is only rated for monitoring around 100 Mbps (Though many have seen it run just fine at 120 Mbps and higher.)

So as you can see the IDSM is rated just slightly higher than the IDS-4230 appliance, but not near the 32 Gbps speeds of the Cat 6K backplane. the IDSM is not meant to be used to monitor all traffic in the switch with a single module. Instead the user must designate what traffic to monitor, and can use multiple modules to monitor higher bandwidths.

As for the design perspsective their are generally 3 ways to send traffic to the sensors.

1) The appliances can have their monitoring interface connected to an ethernet hub. The monitoring interface will see all traffic on the hub up to the performance rating for the sensor. So if your hub has less than 45 Mbps of traffic then the 4210 woudl be just fine, but if there is more than 45 Mbps then you will need a 4230.

2) The monitoring interface of the appliance could be connected to a switch that supports spanning. In which case the sensing interface is set as a span destination port. If the amount of traffic being spanned is less than 45 Mbps you can use a 4210, more than 45 Mbps the 4230 would be needed. If the switch is a Cat 6K then you could use the IDSM and span and set the monitoring interface of the IDSM as the span destination port and monitor around 120 Mbps.

3) The third method is to use the VACL capture functionality of the Cat 6K. The Vlan ACL is used to designate which packets will be captured. The captured packets are then copied to the original destination as well as to ports deisgnated as capture ports. This was originally designed for copying packets to the monitoring interface of the IDSM, but can alos be used with the 4210 and 4230 appliances.

As for TCP Resets, this a signature response action that is only available in the 4210 and 4230 appliances, and not the IDSM. The user configures a certain signature to have a TCP Reset response action. When that signature fires an alarm, then the sensor will look at the TCP packet that triggerred the alarm and use it as a basis to form TCP Reset packets. The latest versions of the sensor will send out 100 TCP Resets to the server, and an additional 100 TCP Resets to the client so that we have the best chance of shutting down the connection. We send out 100 TCP Resets each way because the sensor has to make calculated guesses as to what the next TCP sequence is based on the TCP sequence of the packet that fired the alarm. Each of the 100 TCP Resets has slighlty different sequence numbers to give us the best chance of Resetting the connection.

For more information about the IDS product lines refer to:

http://www.cisco.com/warp/customer/cc/pd/sqsw/sqidsz/index.shtml

For links to the User Guides for the sensors refer to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm