Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1179
  • Last Modified:

Cisco IDS and VPN Concentratoer , PIX firewall locations

The current design for my work design is that VPN concentrator (we have got only one) is behind PIX firewall (we have got 2 one is for failover), and IDS within DMZ zone (we have got one), I have been asked to rebuild the security system as best practice.

We have got 2 core switches and servers farm (which are in the right locations).

Any insight about tho above design ?
0
zillah
Asked:
zillah
  • 6
  • 4
  • 3
2 Solutions
 
zillahAuthor Commented:
I have to add some thing else which I forgot to mention that Radius Server on my local network , and Cisce security Agent on my local network as well
0
 
Rich RumbleSecurity SamuraiCommented:
You should have the IDS sniffing the ports that go in/out to the internet and or the router. You'll want to know what threats are comming into and also leaving the lan, like web server attacks (incomming) and P2P file sharing (outgoing) for instance. You'll want to span the ports for the respective traffic. A router typically hooks into the network by a fastethernet port, span that port to the listening port of the IDS.
http://www.ciscopress.com/articles/article.asp?p=25327&seqNum=4&rl=1
http://www.cisco.com/en/US/products/hw/switches/ps679/products_configuration_guide_chapter09186a00800d9e4e.html#xtocid185383
-rich
0
 
zillahAuthor Commented:
Thanks rich, but do I need to put it in DMZ zone ?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
Rich RumbleSecurity SamuraiCommented:
There are multiple ways you can do this. If there are more than one "sensors" or NIC's that are capable of sniffing, have one look at the traffic in/out of the lan, and the other to the most direct point for data in/out of the dmz. I believe you can do more than one span session on a catalyst switch, but I'm not certain. If you can, span the DMZ in/out port to the other sensor. Span ports can also work via vlan, so you can have one sensor sniff lots of vlans, including the DMZ vlan and the in/out internet traffic vlan. Depending on the amount of traffic going across your lan/DMZ a single 100mb port. If your lan traffic is over 100mb then you'll miss packets/data and will need to use a Gig cat5 interface on the switch to be the dst port of the span session. I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
-rich
0
 
rsivanandanCommented:
On the 4215, what code are you running and how many interfaces does it have ?

If 5.x then you can put it in inline mode and have a pair go to DMZ and another go to your internal network.

Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.

Cheers,
Rajesh
0
 
zillahAuthor Commented:
Thanks Guys
[cut]
I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
[/cut]

[cut]and how many interfaces does it have ?[/cut]
Kindly look at the link below, it is same as our organization's
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guide_chapter09186a008035809a.html


[cut]
What code are you running
[/cut]
Code V4


[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]

[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]
http://img166.imageshack.us/img166/8994/diagram1kc1.jpg


0
 
zillahAuthor Commented:
[cut]
You should have the IDS sniffing the ports that go in/out to the internet and or the router.
[/cut]
What I read in "Security in Computing" book By Willis H. Ware 3d page 452 :

" An Intrusion detection system is a device that is placed inside a protected network to monitor what occurs within the network. If an attacker is able to pass through the router and pass through the firewall, an intrusion detection system offers the opportunity to detect the attack at the beginning, in progress, or after it has occurred."

Regards
0
 
rsivanandanCommented:
You are having a Giant there but not utilizing the full :-(

The IDS-4215 can be used as IPS instead of IDS. Which means, you can not only sniff but when put in inline mode, the attacks are not only detected but can be stopped as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd801e65b9.html

Look at the link above and your model supports the OS version of 5.x (From 5.x the inline mode IPS is supported).


So you can have a network like this;

Internet---------IPS-----------Server-Farm
                       |
                     DMZ

In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.

More details can be read at Cisco site, try out to read the feature sets available on 5.x sofware.

Advantage if explained in simple words.
1. With IDS (ie; 4.x code), only attacks can be detected. If the victim is vulnerable, it will be attacked and brought down.

2. With IPS (ie; 5.x code, inline mode), attacks can be detected and also prevented from going to the victim machine.

Hope that helps.

Cheers,
Rajesh
0
 
zillahAuthor Commented:
[cut]
and how many interfaces does it have ?
[/cut]
I have to edit, I checked the IDS and I found that they have got only two Ethernet interfaces (E0, E1). Right now one interfaces for DMZ and the other is connected to core switch. Any drawback with this connection ?

[cut]
In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.
[/cut]
I could not get this, suppose I have got 4 interfaces (you meant to say IDS has got 4 interfaces). In your drawing three of them were used (one for internet, one for DMZ, one for server Farm),,,,what you meant by pair two of them for incoming (internet) and two of outgoing (DMZ and Server Farm) ?

0
 
Rich RumbleSecurity SamuraiCommented:
Here is what I was describing: (I hope the ascii formats after I post...)

Internet ----- firewall ---- router ---- Switch ---- host's
                        |_DMZ     |____IDS sensor
                         |_IDS sensor

More accurately...
(example ports)
         Switch port 4/5 is where the DMZ plugs into switch
         Switch port 5/5 is where the "inside" interface of the firewall plugs in the switch
Span ports 4/5 and 5/5 to separate sensors, or they can even be sent to one sensor (if they are on the same blade and right next to each other

set port span 4/5-6 6/40  (src ports are 4/5 and 4/6 cc'ing all traffic in/out to port 6/40
set port span 4/5 6/40
set port span 5/5 6/41
-rich
0
 
zillahAuthor Commented:
[cut] Switch port 4/5 is where the DMZ plugs into switch[/cut]
In my schedule DMZ is not connected to the core switch port (4/5) ? I could not get that ?
0
 
rsivanandanCommented:
What I meant was after upgrading to 5.x code, you can put the IDS sensor as a networking device between your network. Which means, take a cable from firewall and plug it to the IDS Sensor. Take another cable and connect it to the switch. So all the traffic goes through that.

Cheers,
Rajesh
0
 
Rich RumbleSecurity SamuraiCommented:
Can a wire be connected to the switch that does plug in to the switch that the DMZ plugs into? The ports I gave were for examples only. If you can plug the sensors into the switches where the inside and dmz plug in, all you have to do is span them to the sensor port
switch1 port 4/5 = firewall inside interface (for example)
switch3 port 6/7 = firewall/DMZ interface
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now