Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

The better way to implement IDS

I need to implement a IDS on a Pix failover configuration, I´m new about IDS, can somebody help?

Thanks in advanced

mc

11 REPLIES
New Member

Re: The better way to implement IDS

hi

you have to choose whether u want to put ids behind the firewall or infront of a firewall ,both of them are good but each of which has its own drawback and advantages .

so let say u want to put it infront of a firewall :

u'r IDS monitors all malicious activities and drop packets opun u'r policy .u'r firewall then control traffic flow .

but u cann't monitor traffic flow (what is going on ) in u'r trusted side .

let say u want to put it behind the firewall ,then u'r firewall control inerested traffic and u'r ids monitors trusted network ( a segment ids monitors).

in this case u have to put lots of IDSs because u have not only only one exit door (where ids in untrusted has one door and it is firewall) .

u should monitor all u'r network carefully .

the best choice is a combination of these two ,

if i were u i'd bought two ids or one ids with two monitoring interface ,

i'd pluged once in my sensetive server segemnt and other one in firewall untrusted zone .

Cisco Employee

Re: The better way to implement IDS

Ok, here is my take on this. If you have the resources, then I would implement and IDS on the outside perimeter (in front of the firewall) and one on the inside (behind the firewall).

Now why would I do this. Well, if someone is try to attack or send malicous data from outside I would expect my outside sensor to pick that up, then if one of my machines gets compromised for any reason and it starts creating malicous data, I would expect my inside sensor to catch that.

Hope this help.

THanks.

Obaid.

New Member

Re: The better way to implement IDS

Dear Obaid ,

I really appreciate and welcome ur suggestion about the IDS , it looks to be sound , Well Wana i look for some favour from you am planning to deploy IDS. Since it seems have enough strengths in this area i need some technical documentations and guides or recommened study materials to deploy IDS, I hope you don't disappoint me , look forward to see your email at my email

mdazharali@hotmail.com at the earliest , I am looking for a guide which gives a very clear idea about the configuration parameters and all other issues w\hich covers the deployment area. Look forward to hear from you.

thanks

Azhar

New Member

Re: The better way to implement IDS

IDS can be complicated without implementing the system into your overall security approach - as with any control, it should complement other controls (i.e. your firewall), and an overall approach should be developed to IDS implementation.

KEEP IT SIMPLE during the initial deployment - you'll discover more about your environment and have the ability to alter the deployment plans after reviewing the intial results. Sample approach:

1. Determine what you want to monitor - critical assets, exposed systems, external or internal traffic, etc.

2. After selecting systems to be monitored, determine potential placement of the sensors. Must monitor complete traffic flow (no asynchronous routing), monitor the path of traffic for systems to be monitored, etc.

3. Deploy in a location where alarm rate is not overwhelming. Deployment outside the firewall may be bad for the initial deployment - significant alarms will be generated, but many (i.e. portscans) may be irrelevant. Place in complementary locations with other controls during the initial deployment, such as behind the firewall which will block the "noise".

4. Groom the system, determine incident response plans (i.e. what do you do when an alarm is discovered), etc.

5. Expand the deployment - monitor other systems, deploy in locations supporting the initial sensor (i.e. in front of the firewall, etc.). Conduct per the plan in step 1, based on critical systems to monitor.

New Member

Re: The better way to implement IDS

Thanks a lot for your comments folks, I´ve learned whith them, very useful.

Do u know any very good white paper about that?? ( IDS)

Thanx again for your help.

mc

New Member

Re: The better way to implement IDS

http://www.snort.org/docs/

Many good papers on IDS in general.

New Member

Re: The better way to implement IDS

Why can't you monitor both with one IDS?

You can have your switch port monitor the inside interface on the firewall and the outside interface on the firewall. Have your IDS set to identify inside traffic and outside traffic and capture both. This still seperates the networks via IP subnet so it shouldn't be a security risk.

Am I wrong?

Cisco Employee

Re: The better way to implement IDS

You are right. With IDS version 4.0 and the below hardware, multiple sniffing interfaces on a single IDS is possible.

----------

The Cisco IDS 4200 Series of appliance sensors includes four products: the Cisco IDS 4215, IDS 4235, IDS 4250 and the IDS 4250-XL. The entire Cisco IDS appliance portfolio delivers a broad range of solutions that allow easy integration into many different environments, including enterprise and service provider environments. Each appliance sensor addresses the bandwidth requirements at one of a variety of performance marks, from 80 Mbps to gigabit. Additionally, a variety of interface options are supported, including the provision of multiple sniffing interfaces and copper/fiber interface options.

------------------

More info on the below url

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/index.html

Thanks,

yatin

New Member

Re: The better way to implement IDS

As far as I know multiple sniffing interfaces will be available only with IDS version 4.1 (not released yet); so, at the moment, I think the only possibility is to use one IDS per segment, depending on what exactly has to be monitored.

In an attempt to avoid "noise" - traffic flows which the border router and the firewall will almost certainly block usuallly need not to be monitored - I wuold put the IDS behind the firewall.

Properly configuring SPAN ports on the switches where IDS systems are connected, and eventually using a load balancer supporting a specific "IDS load balancing" algorithm, could help in realizing an IDS system which keeps constantly under control both active and failover links.

Every IDS should be connected to the IDS balancer which receives copies of traffic flows coming from the switches and send them to IDS systems.

Hope this helps ...

Thanks,

Sonia

New Member

Re: The better way to implement IDS

We are considering migrating from a Cisco IDS blade in our 6500 to stand alone appliances. We are ordering the appliances with an additional 4 port fast ethernet monitoring port interface. From the comments, I am concerned that I may have problems using these ports.

Is there any way to monitor a switch segment with out using up limited spanning ports, maybe using 4 port hubs on the segment? How do I achieve multiport monitoring capability with the 4250 appliance?

Also, can I manage these 4250 appliances with my existing Cisco Secure Policy Manager software, or do I have to log into each appliance individually with a browser?

thanks

Mike

New Member

Re: The better way to implement IDS

Hi Mike,

with the new 4.1 software version of IDS 4200 appliances (which has been recently released by Cisco) you shouldn't have any problem when monitoring more than one switched network segment, since this new release enables a full multiport monitoring capability on the appliances.

You can configure your 4250 IDS sensor to monitor traffic flows over a maximum of 5 network segments (not sure if you can configure a different "policy" for every interface - don't think so ...).

The basic idea could be the following:

- enable port monitoring on the switches ("copy" the traffic flow you want to observe to the switch span port);

- connect one of the interfaces of your 4250 to the switch span port.

The only thing to be carefully minded is the aggregated bandwidth limit of the appliance itself: the total amount of traffic you are monitoring cannot exceed thee 4250’s limit of 500 Mbps (or 1000 Mbps in case of the XL model).

With 4.0 software version multiple sniffing interfaces were not supported, although the hardware was ready for the job; so in my previous answer I was suggesting a different solution, based essentially on a load balancing mechanism.

As far as management issues are concerned you can find more information following this link:

http://www.cisco.com/warp/customer/707/idsfaq.html#Q33

I think that, unfortunately, you won’t be able to manage the sensor using CSPM, as reported from Cisco:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2133/prod_release_note09186a00800d9cc3.html#xtocid3 (supported devices list for CSPM 2.3.2i)

http://www.cisco.com/en/US/products/sw/secursw/ps2133/products_device_support_table09186a00800e6d44.html (supported devices list for CSPM 3.1)

Management options for IDS 42xx are:

- CLI (connection to a single device at a time)

- IDS Device Manager (via browser - connection to a single device at a time)

- Cisco VMS – this is a replacement of CSPM

You can find something about VMS here:

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/index.html

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_qanda_item09186a00800e55b8.shtml

Hope this helps ...

Regards,

Sonia

650
Views
0
Helpful
11
Replies
CreatePlease to create content