Solved

Cisco IDS and VPN Concentratoer , PIX firewall locations

Posted on 2006-11-08
13
1,170 Views
Last Modified: 2013-11-16
The current design for my work design is that VPN concentrator (we have got only one) is behind PIX firewall (we have got 2 one is for failover), and IDS within DMZ zone (we have got one), I have been asked to rebuild the security system as best practice.

We have got 2 core switches and servers farm (which are in the right locations).

Any insight about tho above design ?
0
Comment
Question by:zillah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 

Author Comment

by:zillah
ID: 17897301
I have to add some thing else which I forgot to mention that Radius Server on my local network , and Cisce security Agent on my local network as well
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17898099
You should have the IDS sniffing the ports that go in/out to the internet and or the router. You'll want to know what threats are comming into and also leaving the lan, like web server attacks (incomming) and P2P file sharing (outgoing) for instance. You'll want to span the ports for the respective traffic. A router typically hooks into the network by a fastethernet port, span that port to the listening port of the IDS.
http://www.ciscopress.com/articles/article.asp?p=25327&seqNum=4&rl=1
http://www.cisco.com/en/US/products/hw/switches/ps679/products_configuration_guide_chapter09186a00800d9e4e.html#xtocid185383
-rich
0
 

Author Comment

by:zillah
ID: 17898336
Thanks rich, but do I need to put it in DMZ zone ?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17898987
There are multiple ways you can do this. If there are more than one "sensors" or NIC's that are capable of sniffing, have one look at the traffic in/out of the lan, and the other to the most direct point for data in/out of the dmz. I believe you can do more than one span session on a catalyst switch, but I'm not certain. If you can, span the DMZ in/out port to the other sensor. Span ports can also work via vlan, so you can have one sensor sniff lots of vlans, including the DMZ vlan and the in/out internet traffic vlan. Depending on the amount of traffic going across your lan/DMZ a single 100mb port. If your lan traffic is over 100mb then you'll miss packets/data and will need to use a Gig cat5 interface on the switch to be the dst port of the span session. I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
-rich
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17899197
On the 4215, what code are you running and how many interfaces does it have ?

If 5.x then you can put it in inline mode and have a pair go to DMZ and another go to your internal network.

Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.

Cheers,
Rajesh
0
 

Author Comment

by:zillah
ID: 17904155
Thanks Guys
[cut]
I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
[/cut]

[cut]and how many interfaces does it have ?[/cut]
Kindly look at the link below, it is same as our organization's
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guide_chapter09186a008035809a.html


[cut]
What code are you running
[/cut]
Code V4


[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]

[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]
http://img166.imageshack.us/img166/8994/diagram1kc1.jpg


0
 

Author Comment

by:zillah
ID: 17904180
[cut]
You should have the IDS sniffing the ports that go in/out to the internet and or the router.
[/cut]
What I read in "Security in Computing" book By Willis H. Ware 3d page 452 :

" An Intrusion detection system is a device that is placed inside a protected network to monitor what occurs within the network. If an attacker is able to pass through the router and pass through the firewall, an intrusion detection system offers the opportunity to detect the attack at the beginning, in progress, or after it has occurred."

Regards
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17904399
You are having a Giant there but not utilizing the full :-(

The IDS-4215 can be used as IPS instead of IDS. Which means, you can not only sniff but when put in inline mode, the attacks are not only detected but can be stopped as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd801e65b9.html

Look at the link above and your model supports the OS version of 5.x (From 5.x the inline mode IPS is supported).


So you can have a network like this;

Internet---------IPS-----------Server-Farm
                       |
                     DMZ

In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.

More details can be read at Cisco site, try out to read the feature sets available on 5.x sofware.

Advantage if explained in simple words.
1. With IDS (ie; 4.x code), only attacks can be detected. If the victim is vulnerable, it will be attacked and brought down.

2. With IPS (ie; 5.x code, inline mode), attacks can be detected and also prevented from going to the victim machine.

Hope that helps.

Cheers,
Rajesh
0
 

Author Comment

by:zillah
ID: 17904535
[cut]
and how many interfaces does it have ?
[/cut]
I have to edit, I checked the IDS and I found that they have got only two Ethernet interfaces (E0, E1). Right now one interfaces for DMZ and the other is connected to core switch. Any drawback with this connection ?

[cut]
In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.
[/cut]
I could not get this, suppose I have got 4 interfaces (you meant to say IDS has got 4 interfaces). In your drawing three of them were used (one for internet, one for DMZ, one for server Farm),,,,what you meant by pair two of them for incoming (internet) and two of outgoing (DMZ and Server Farm) ?

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17905756
Here is what I was describing: (I hope the ascii formats after I post...)

Internet ----- firewall ---- router ---- Switch ---- host's
                        |_DMZ     |____IDS sensor
                         |_IDS sensor

More accurately...
(example ports)
         Switch port 4/5 is where the DMZ plugs into switch
         Switch port 5/5 is where the "inside" interface of the firewall plugs in the switch
Span ports 4/5 and 5/5 to separate sensors, or they can even be sent to one sensor (if they are on the same blade and right next to each other

set port span 4/5-6 6/40  (src ports are 4/5 and 4/6 cc'ing all traffic in/out to port 6/40
set port span 4/5 6/40
set port span 5/5 6/41
-rich
0
 

Author Comment

by:zillah
ID: 17905857
[cut] Switch port 4/5 is where the DMZ plugs into switch[/cut]
In my schedule DMZ is not connected to the core switch port (4/5) ? I could not get that ?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 150 total points
ID: 17905879
What I meant was after upgrading to 5.x code, you can put the IDS sensor as a networking device between your network. Which means, take a cable from firewall and plug it to the IDS Sensor. Take another cable and connect it to the switch. So all the traffic goes through that.

Cheers,
Rajesh
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
ID: 17905925
Can a wire be connected to the switch that does plug in to the switch that the DMZ plugs into? The ports I gave were for examples only. If you can plug the sensors into the switches where the inside and dmz plug in, all you have to do is span them to the sensor port
switch1 port 4/5 = firewall inside interface (for example)
switch3 port 6/7 = firewall/DMZ interface
-rich
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wordpress Security 29 76
Standalone trial or freeware to do SSL scan 4 59
How does ADMT SID History work? 1 46
Help review broadcast on systems patching directive 6 58
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question