We have just installed a 4210 with CSPM behind a PIX 515. How do determine if the IDS is actually working? I mean if how do you know without becoming a target for hackers? Are there any procedures or tools that will allow you to test the IDS from the outside?
If you don't have a web server, then the same can still be done for almost any other tcp service you are letting through your firewall.
If you want to validate specific signatures, then you would need to pick a signature and read up on it. The try executing the attack through your firewall. If the firewall blocks the attack then the sensor will likely not alarm. You'll have to find one that your firewall is letting through, and then the sensor shoudl alarm.
Just to be sure I don't misunderstand you, are you saying that the IDS's promiscous interface should be connected behind the firewall's DMZ? Currently, we have that interface placed in front of our firewall in the DMZ between the firewall and our outside router. Monitoring and blocking is taking place on the outside router.
I have to say that the documentation for this product reaches a new high in lows. I'm scared to death that the bad guys are running rampant through our network and the IDS is unaware.
Placing of the monitoring interface can be either inside your firewall or outside your firewall.
If inside your firewall you will only be monitoring packets that the firewall is allowing through.
If outside your firewall you will be monitoring the packets that the firewall is allowing through as well as the packets that the Firewall is blokcing.
In many cases users are inundated with alarms when the sensor is monitoring outside the Firewall. Many users are constantly beiong scanned and attacked, and the IDS is constantly firing off alarms. By placing it inside their Firewall they find out that the Firewall is doing it's job and blocking most of it, so then they only concentrate on the alarms for traffic that is actually being passed through the Firewall.
SO placement of the monitoring interface is really up to the user. In some cases users have one sensor on the inside that they use on a daily basis, then have a second on the outside, When they notice an attack on the inside then they check the outside to find out what else the attacker may have been doing that the Firewall was able to block.
The command and control interface of the sensor, on the other hand, should always be behind the Firewall. You should configure your Firewall to let the internal sensor ip address connect to the outside router for changing of the router's configuration.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...