Cisco IDS and VPN Concentratoer , PIX firewall locations

The current design for my work design is that VPN concentrator (we have got only one) is behind PIX firewall (we have got 2 one is for failover), and IDS within DMZ zone (we have got one), I have been asked to rebuild the security system as best practice.

We have got 2 core switches and servers farm (which are in the right locations).

Any insight about tho above design ?
zillahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zillahAuthor Commented:
I have to add some thing else which I forgot to mention that Radius Server on my local network , and Cisce security Agent on my local network as well
0
Rich RumbleSecurity SamuraiCommented:
You should have the IDS sniffing the ports that go in/out to the internet and or the router. You'll want to know what threats are comming into and also leaving the lan, like web server attacks (incomming) and P2P file sharing (outgoing) for instance. You'll want to span the ports for the respective traffic. A router typically hooks into the network by a fastethernet port, span that port to the listening port of the IDS.
http://www.ciscopress.com/articles/article.asp?p=25327&seqNum=4&rl=1
http://www.cisco.com/en/US/products/hw/switches/ps679/products_configuration_guide_chapter09186a00800d9e4e.html#xtocid185383
-rich
0
zillahAuthor Commented:
Thanks rich, but do I need to put it in DMZ zone ?
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Rich RumbleSecurity SamuraiCommented:
There are multiple ways you can do this. If there are more than one "sensors" or NIC's that are capable of sniffing, have one look at the traffic in/out of the lan, and the other to the most direct point for data in/out of the dmz. I believe you can do more than one span session on a catalyst switch, but I'm not certain. If you can, span the DMZ in/out port to the other sensor. Span ports can also work via vlan, so you can have one sensor sniff lots of vlans, including the DMZ vlan and the in/out internet traffic vlan. Depending on the amount of traffic going across your lan/DMZ a single 100mb port. If your lan traffic is over 100mb then you'll miss packets/data and will need to use a Gig cat5 interface on the switch to be the dst port of the span session. I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
-rich
0
rsivanandanCommented:
On the 4215, what code are you running and how many interfaces does it have ?

If 5.x then you can put it in inline mode and have a pair go to DMZ and another go to your internal network.

Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.

Cheers,
Rajesh
0
zillahAuthor Commented:
Thanks Guys
[cut]
I'm not sure what options you have, if the IDS can do fiber (gbic) or if its cat5 10/100/1000 only.
[/cut]

[cut]and how many interfaces does it have ?[/cut]
Kindly look at the link below, it is same as our organization's
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guide_chapter09186a008035809a.html


[cut]
What code are you running
[/cut]
Code V4


[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]

[cut]
Seems like you have a lot of equipment in place, so would you also have a rough diagram which you can draw here, I mean using ascii characters.
[/cut]
http://img166.imageshack.us/img166/8994/diagram1kc1.jpg


0
zillahAuthor Commented:
[cut]
You should have the IDS sniffing the ports that go in/out to the internet and or the router.
[/cut]
What I read in "Security in Computing" book By Willis H. Ware 3d page 452 :

" An Intrusion detection system is a device that is placed inside a protected network to monitor what occurs within the network. If an attacker is able to pass through the router and pass through the firewall, an intrusion detection system offers the opportunity to detect the attack at the beginning, in progress, or after it has occurred."

Regards
0
rsivanandanCommented:
You are having a Giant there but not utilizing the full :-(

The IDS-4215 can be used as IPS instead of IDS. Which means, you can not only sniff but when put in inline mode, the attacks are not only detected but can be stopped as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd801e65b9.html

Look at the link above and your model supports the OS version of 5.x (From 5.x the inline mode IPS is supported).


So you can have a network like this;

Internet---------IPS-----------Server-Farm
                       |
                     DMZ

In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.

More details can be read at Cisco site, try out to read the feature sets available on 5.x sofware.

Advantage if explained in simple words.
1. With IDS (ie; 4.x code), only attacks can be detected. If the victim is vulnerable, it will be attacked and brought down.

2. With IPS (ie; 5.x code, inline mode), attacks can be detected and also prevented from going to the victim machine.

Hope that helps.

Cheers,
Rajesh
0
zillahAuthor Commented:
[cut]
and how many interfaces does it have ?
[/cut]
I have to edit, I checked the IDS and I found that they have got only two Ethernet interfaces (E0, E1). Right now one interfaces for DMZ and the other is connected to core switch. Any drawback with this connection ?

[cut]
In this case, when you have 4 interfaces, you pair them. 2 interfaces are paired so that one for incoming and one for outgoing.
[/cut]
I could not get this, suppose I have got 4 interfaces (you meant to say IDS has got 4 interfaces). In your drawing three of them were used (one for internet, one for DMZ, one for server Farm),,,,what you meant by pair two of them for incoming (internet) and two of outgoing (DMZ and Server Farm) ?

0
Rich RumbleSecurity SamuraiCommented:
Here is what I was describing: (I hope the ascii formats after I post...)

Internet ----- firewall ---- router ---- Switch ---- host's
                        |_DMZ     |____IDS sensor
                         |_IDS sensor

More accurately...
(example ports)
         Switch port 4/5 is where the DMZ plugs into switch
         Switch port 5/5 is where the "inside" interface of the firewall plugs in the switch
Span ports 4/5 and 5/5 to separate sensors, or they can even be sent to one sensor (if they are on the same blade and right next to each other

set port span 4/5-6 6/40  (src ports are 4/5 and 4/6 cc'ing all traffic in/out to port 6/40
set port span 4/5 6/40
set port span 5/5 6/41
-rich
0
zillahAuthor Commented:
[cut] Switch port 4/5 is where the DMZ plugs into switch[/cut]
In my schedule DMZ is not connected to the core switch port (4/5) ? I could not get that ?
0
rsivanandanCommented:
What I meant was after upgrading to 5.x code, you can put the IDS sensor as a networking device between your network. Which means, take a cable from firewall and plug it to the IDS Sensor. Take another cable and connect it to the switch. So all the traffic goes through that.

Cheers,
Rajesh
0
Rich RumbleSecurity SamuraiCommented:
Can a wire be connected to the switch that does plug in to the switch that the DMZ plugs into? The ports I gave were for examples only. If you can plug the sensors into the switches where the inside and dmz plug in, all you have to do is span them to the sensor port
switch1 port 4/5 = firewall inside interface (for example)
switch3 port 6/7 = firewall/DMZ interface
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.