Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDSM and shunning a router

Problem is related to the shunning router.

IDSM's are configured to monitor DMZ's and Outside interfaces of a PIX.

If an attack occurs on the Outside of the PIX, the IDSM's are able to shun the Internet-router on the incomming traffic of the serial-interface of the Internet-router.

But how can I detect and prevent attacks on the serial-interface of this internet-router itself??

I only can detect attacks on the ethernet-interface of this Internet-router connected to the PIX!!

1 REPLY
Cisco Employee

Re: IDSM and shunning a router

There is no way for an external IDS appliance to detect attacks directly against the serial-interface of the router.

There is an IDS feature within the IOS Firewall images for some of Cisco's routers. You could try using the IOS Firewall images, and then setup the IDS feature to monitor all traffic directed to the IP Addresses of the router itself. (NOTE: the external IDS is already monitoring the packets getting through the router, so you only need the IOS IDS to monitor packets sent directly to the router.)

The IDS alarms in the IOS Firewall are fairly limited when compared to the external appliance. But it could be handy when the IOS IDS, and the external IDS are used in conjunction with one another.

As for prevention, the best option here is to setup a Pre-Shun ACL that the IDSM will always prepend to the ACL that it creates on the router.

You can use that Pre-Shun ACL to go ahead and permit any packets that need to get directly to the router ips, and then deny all other packets destined for the router ips. So you may only permit packets to your router ip from your service provider's router, and maybe packets from the routers from your other sites, and then deny every other ip from directly contacting your router. Packets destined for ips inside your network will still get through just fine (unless of course you also add some deny lines to prevent some of those packets as well.)

85
Views
0
Helpful
1
Replies
CreatePlease login to create content