Is there or will there soon be a way for a network sensor to drop, reset and or log packets using a switch like the 3500 series? This would be great it seems in stopping internal attacks. I think right now all that can happen is notification of an attack. Any words from the IDS gurus out there?
Read below for blocking (aka shuns, drops), and tcp resets.
All appliance sensor support logging of the packets regardless of the device it is plugged into.
(The Catalyst 6000 module does not support tcp resets, or packet logging, but this is because of hardware constraints of the module and not an issue with the switch)
This already supported and tested on the following switches when using an IDS Appliance:
Catalyst 6000/6500 running Cat OS on the Supervisor (aka Hybrid).
- The sensor uses Vlan ACLs to block on vlans.
- Switch allows TCP Resets in on the span port (inpkts enable must be used), and on VACL Capture ports.
MSFC1 and MSFC2 for the Catalyst 6000/6500 running IOS
- The sensor uses Router ACLs to block on the Vlan interfaces.
- The Switch allows TCP Resets in on the span port (inpkts enable must be used), and on VACL Capture ports.
Catalyst 6000/6500 running IOS on the Supervisor/MSFC (aka Native IOS).
- The sensor uses Router ACLs to block on both the physical and vlan interfaces.
- I haven't tested resets with Native IOS, but I believe the switch does allow it.
Catalyst 5000 switch running Cat OS
- The sensor can manage the RSM (Router Switch Module) using Router ACLs to block on the vlan interfaces.
- TCP Resets will work on span ports (I believe inpkts enable must be used)
Unfortunately I am not that familiar with the 3500 series switches. But here are some of my thoughts and comments:
If the 3500 switch is running IOS and supports Router ACLs, then it is possible that the sensor may work just fine in creating Router ACLs to block on both the physical and vlan interfaces of the switch. We haven't officially tested it yet, but in most cases if the device is running IOS then the sensor can usually manage it. I've seen several users use the sensor to manage devices that weren't on our official supported list and not have any problem. Just be aware that if a problem results the TAC may not support the senor managing the 3500.
If the 3500 switch is running traditional Cat OS then it will not work at this time. Changes would have to be made to the sensor.
If you would like blocking on the 3500 series to be officially supported, then submit an enhancement request through the TAC (on line email support).
As for TCP Resets, I've heard there were some issues with TCP Resets on some of these switches. I knwo some of the switch teams are looking into it, but I don't know what the results have been. You woudl just need to try it on your specific switch, and if it is not supported then submit an enhancement request.
If anyone else has specific experience deploying IDS with a 3500 series switch then please add to this conversation.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...