Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
4
Replies

Monitoring of a policy in a DMZ

pheuch
Level 1
Level 1

‎02-22-2002 01:17 AM - edited ‎03-08-2019 09:53 PM

I know which connections are allowed in my DMZ. Is it possible to tailor the IDS to report any other connections/communication attempts that I did not allow ?

e.g. a WEB Server has incoming connections on port 80 from outside and port 22 from the internal firewall. Any other connection attempts would be an indicator for a problem.

How can I configure this in the sensor?

Labels:
0 Helpful
4 Replies 4

bwalchez
Level 4
Level 4

‎02-28-2002 01:39 PM

You could use the debugging PIX log files to see if any connection attempt was made. Anyone know if IDS will show anything?

0 Helpful

pheuch
Level 1
Level 1
In response to bwalchez

‎03-01-2002 01:59 AM

The PIX (or any other firewall log) will not show all possible connections. Asume that a host of a DMZ is hacked, the attacker will try to connect to other hosts in the DMZ. If these connections are not normal an IDS system will detect it, but a firewall log does not include any entry, because the network borders are not crossed.

0 Helpful

danrodri
Cisco Employee
Cisco Employee

‎03-01-2002 08:54 AM

The Sensor can be configured to alarm on TCP connections (3000 signatures) and UDP traffic (4000 signatures). You can use the filter mechanism (RecordofExclude) to filter out all alarms except the ones you are interested in detecting. The mechanics of the configuration differ depending if you are using CSPM or the Unix Director. So yes, the IDS can be tailored for this scenario.

Now to use your example, I would have a couple of questions.

1) Where is your Sensor placed? If it is behind a firewall and a connection request is made for TCP port 666, the Sensor would not see this if it is also behind the firewall and this port is being blocked.

2) Are you also going to monitor any outgoing connections from this web server? As mentioned, if a hacker does gain access and attempts to initiate outbound connections, is this allowed for blocked.

Hope this helps

0 Helpful

pheuch
Level 1
Level 1
In response to danrodri

‎03-04-2002 12:49 AM

The sensor will be placed behind a firewall. Otherwise it would not make any sense for this scenario for me. Please correct me, if I'm wron, but the signatures 3000 and 4000, are reacting on some selected ports and not on all ports. It is better than nothing, but not exactly what I want.

The basic idea is, to report any behaviour that is not allowed by the policy. This answers question 2. It has to monitor every connection incoming and outgoing and report any policy breaks. If a web server, for example, is hacked, the attacker will try to use it as a hop for the next hosts in the DMZ, except for web defacements. A sensor placed inside of a DMZ would recognize the unusual connection attempts and give us the ability to check the maschine for intruders.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents