cisco IPS 4260
Hi, I am new to cisco IPS 4260 and am trying to learn this tool.
Is there a good resource/guide to get started?
what are the best reports available in it?
what most can be done with it?
Thanks
Is there a good resource/guide to get started?
what are the best reports available in it?
what most can be done with it?
Thanks
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
what kind of IPS is this Behavior based? anomaly? pattern based ?
ASKER
what kind of reporting tool come along with this device?
do we need to order any separate tool to have batter traffic and attack analysis ?
do we need to order any separate tool to have batter traffic and attack analysis ?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thanks for your help
what technical point we should consider while deploying this IPS?
is there any particular drawbacks?
what technical point we should consider while deploying this IPS?
is there any particular drawbacks?
The only thing I can think of at the moment is to put it inside your firewall an not outside. You just want to monitor traffic being allowed in. Also, I would start out using it in promiscuous (IDS) mode first and just monitor traffic and anomolies. Then when you are ready enable IPS mode to stump on strange traffic.
ASKER
i understand your point but for a strong debate, what (big disadvantages) points can be against
IPS as inline
2nd can we use this device as IDS
IPS as inline
2nd can we use this device as IDS
Per the second link I provided above:
Promiscuous Mode
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).
Inline Interface Mode
Operating in inline interface pair mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device.
In inline interface pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.
Promiscuous Mode
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).
Inline Interface Mode
Operating in inline interface pair mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device.
In inline interface pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.
ASKER
make my life easy
if you are the boss, what way you will go
inline? or offline?
and why :p
if you are the boss, what way you will go
inline? or offline?
and why :p
I would go inline as the IPS will be more effective, because the traffic is passing through it, whereas out of band, the IPS can truly intercept the traffic, but will try to inject or disrupt the traffic flow of the stream in question. I would still start out in promiscuous mode so that you can weed out all the false positive alerts, then move onto true IPS mode.
ASKER
Great answer , thanks a lot
as a PM i want to make a Selection list for Inline vs out band deployment for business case, is there any helping material you can suggest please for this specific need.
as a PM i want to make a Selection list for Inline vs out band deployment for business case, is there any helping material you can suggest please for this specific need.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliguide.html
The entire configuration guide for you.