Solved

Cisco IDS and VPN Concentratoer , PIX firewall locations

Posted on 2006-11-08
13
1,162 Views
Last Modified: 2013-11-16
The current design for my work design is that VPN concentrator (we have got only one) is behind PIX firewall (we have got 2 one is for failover), and IDS within DMZ zone (we have got one), I have been asked to rebuild the security system as best practice.

We have got 2 core switches and servers farm (which are in the right locations).

Any insight about tho above design ?
0
Comment
Question by:zillah
  • 6
  • 4
  • 3
13 Comments
 

Author Comment

by:zillah
ID: 17897301
I have to add some thing else which I forgot to mention that Radius Server on my local network , and Cisce security Agent on my local network as well
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17898099
You should have the IDS sniffing the ports that go in/out to the internet and or the router. You'll want to know what threats are comming into and also leaving the lan, like web server attacks (incomming) and P2P file sharing (outgoing) for instance. You'll want to span the ports for the respective traffic. A router typically hooks into the network by a fastethernet port, span that port to the listening port of the IDS.
http://www.ciscopress.com/articles/article.asp?p=25327&seqNum=4&rl=1
http://www.cisco.com/en/US/products/hw/switches/ps679/products_configuration_guide_chapter09186a00800d9e4e.html#xtocid185383
-rich
0
 

Author Comment

by:zillah
ID: 17898336
Thanks rich, but do I need to put it in DMZ zone ?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17898987
There are multiple ways you can do this. If there are more than one "sensors" or NIC's that are capable of sniffing, have one look at the traffic in/out of the lan, and the other to the most direct point for data in/out of the dmz. I believe you can do more than one span session on a catalyst switch, but I'm not certain. If you can, span the DMZ in/out port to the other sensor. Span ports can also work via vlan, so you can have one sensor sniff lots of vlans, including the DMZ vlan and the in/out internet traffic vlan. Depending on the amount of traffic going across your lan/DMZ a single 100mb port. If your lan traffic is over 100mb then you'll miss packets/data and will need to use a Gig cat5 interface on the switch to be the dst port of the span session. I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
-rich
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17899197
On the 4215, what code are you running and how many interfaces does it have ?

If 5.x then you can put it in inline mode and have a pair go to DMZ and another go to your internal network.

Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.

Cheers,
Rajesh
0
 

Author Comment

by:zillah
ID: 17904155
Thanks Guys
[cut]
I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
[/cut]

[cut]and how many interfaces does it have ?[/cut]
Kindly look at the link below, it is same as our organization's
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guide_chapter09186a008035809a.html


[cut]
What code are you running
[/cut]
Code V4


[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]

[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]
http://img166.imageshack.us/img166/8994/diagram1kc1.jpg


0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:zillah
ID: 17904180
[cut]
You should have the IDS sniffing the ports that go in/out to the internet and or the router.
[/cut]
What I read in "Security in Computing" book By Willis H. Ware 3d page 452 :

" An Intrusion detection system is a device that is placed inside a protected network to monitor what occurs within the network. If an attacker is able to pass through the router and pass through the firewall, an intrusion detection system offers the opportunity to detect the attack at the beginning, in progress, or after it has occurred."

Regards
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17904399
You are having a Giant there but not utilizing the full :-(

The IDS-4215 can be used as IPS instead of IDS. Which means, you can not only sniff but when put in inline mode, the attacks are not only detected but can be stopped as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd801e65b9.html

Look at the link above and your model supports the OS version of 5.x (From 5.x the inline mode IPS is supported).


So you can have a network like this;

Internet---------IPS-----------Server-Farm
                       |
                     DMZ

In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.

More details can be read at Cisco site, try out to read the feature sets available on 5.x sofware.

Advantage if explained in simple words.
1. With IDS (ie; 4.x code), only attacks can be detected. If the victim is vulnerable, it will be attacked and brought down.

2. With IPS (ie; 5.x code, inline mode), attacks can be detected and also prevented from going to the victim machine.

Hope that helps.

Cheers,
Rajesh
0
 

Author Comment

by:zillah
ID: 17904535
[cut]
and how many interfaces does it have ?
[/cut]
I have to edit, I checked the IDS and I found that they have got only two Ethernet interfaces (E0, E1). Right now one interfaces for DMZ and the other is connected to core switch. Any drawback with this connection ?

[cut]
In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.
[/cut]
I could not get this, suppose I have got 4 interfaces (you meant to say IDS has got 4 interfaces). In your drawing three of them were used (one for internet, one for DMZ, one for server Farm),,,,what you meant by pair two of them for incoming (internet) and two of outgoing (DMZ and Server Farm) ?

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17905756
Here is what I was describing: (I hope the ascii formats after I post...)

Internet ----- firewall ---- router ---- Switch ---- host's
                        |_DMZ     |____IDS sensor
                         |_IDS sensor

More accurately...
(example ports)
         Switch port 4/5 is where the DMZ plugs into switch
         Switch port 5/5 is where the "inside" interface of the firewall plugs in the switch
Span ports 4/5 and 5/5 to separate sensors, or they can even be sent to one sensor (if they are on the same blade and right next to each other

set port span 4/5-6 6/40  (src ports are 4/5 and 4/6 cc'ing all traffic in/out to port 6/40
set port span 4/5 6/40
set port span 5/5 6/41
-rich
0
 

Author Comment

by:zillah
ID: 17905857
[cut] Switch port 4/5 is where the DMZ plugs into switch[/cut]
In my schedule DMZ is not connected to the core switch port (4/5) ? I could not get that ?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 150 total points
ID: 17905879
What I meant was after upgrading to 5.x code, you can put the IDS sensor as a networking device between your network. Which means, take a cable from firewall and plug it to the IDS Sensor. Take another cable and connect it to the switch. So all the traffic goes through that.

Cheers,
Rajesh
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
ID: 17905925
Can a wire be connected to the switch that does plug in to the switch that the DMZ plugs into? The ports I gave were for examples only. If you can plug the sensors into the switches where the inside and dmz plug in, all you have to do is span them to the sensor port
switch1 port 4/5 = firewall inside interface (for example)
switch3 port 6/7 = firewall/DMZ interface
-rich
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now