Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Monitoring of a policy in a DMZ

I know which connections are allowed in my DMZ. Is it possible to tailor the IDS to report any other connections/communication attempts that I did not allow ?

e.g. a WEB Server has incoming connections on port 80 from outside and port 22 from the internal firewall. Any other connection attempts would be an indicator for a problem.

How can I configure this in the sensor?

New Member

Re: Monitoring of a policy in a DMZ

You could use the debugging PIX log files to see if any connection attempt was made. Anyone know if IDS will show anything?

New Member

Re: Monitoring of a policy in a DMZ

The PIX (or any other firewall log) will not show all possible connections. Asume that a host of a DMZ is hacked, the attacker will try to connect to other hosts in the DMZ. If these connections are not normal an IDS system will detect it, but a firewall log does not include any entry, because the network borders are not crossed.

Cisco Employee

Re: Monitoring of a policy in a DMZ

The Sensor can be configured to alarm on TCP connections (3000 signatures) and UDP traffic (4000 signatures). You can use the filter mechanism (RecordofExclude) to filter out all alarms except the ones you are interested in detecting. The mechanics of the configuration differ depending if you are using CSPM or the Unix Director. So yes, the IDS can be tailored for this scenario.

Now to use your example, I would have a couple of questions.

1) Where is your Sensor placed? If it is behind a firewall and a connection request is made for TCP port 666, the Sensor would not see this if it is also behind the firewall and this port is being blocked.

2) Are you also going to monitor any outgoing connections from this web server? As mentioned, if a hacker does gain access and attempts to initiate outbound connections, is this allowed for blocked.

Hope this helps

New Member

Re: Monitoring of a policy in a DMZ

The sensor will be placed behind a firewall. Otherwise it would not make any sense for this scenario for me. Please correct me, if I'm wron, but the signatures 3000 and 4000, are reacting on some selected ports and not on all ports. It is better than nothing, but not exactly what I want.

The basic idea is, to report any behaviour that is not allowed by the policy. This answers question 2. It has to monitor every connection incoming and outgoing and report any policy breaks. If a web server, for example, is hacked, the attacker will try to use it as a hop for the next hosts in the DMZ, except for web defacements. A sensor placed inside of a DMZ would recognize the unusual connection attempts and give us the ability to check the maschine for intruders.

CreatePlease to create content