[c-nsp] IDS Recommendations - Cisco?
Gregori Parker
Gregori.Parker at theplatform.com
Fri Feb 6 17:10:46 EST 2009
I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection. If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into the ASA 5500, or better yet work with TAC to get
your FWSM hardware issues resolved/units replaced.
Anyways, I don't want to second-guess your architecture or reasons, but
IME it's best to have an IDSM passively monitoring a span port behind
the firewall or load-balancer. The idea here is that you want the
limiting factor upstream from the IDS so that it's not processing
packets/connections that will be dropped/refused anyways. The IDSM
doesn't act as a firewall, even if you choose to put it inline (I'd
recommend against that unless you really want active mitigation and your
traffic rate is well below 400mbps), and it requires much more tuning to
be useful.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 06, 2009 1:46 PM
To: 'Cisco-nsp'
Subject: [c-nsp] IDS Recommendations - Cisco?
Hi there...
Our server farms hang off a pair of 6509's today. The SVI interfaces
are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.
So, we're looking for IDS/firewall solutions to protect a few of the
VLAN's
in particular. We did have a pair of FWSM's in these boxes but had a
lot of
grief getting them running only to be faced with hardware failure
problems.
They are removed from the picture now.
Several options exist but I'm wondering if a pair of IDSM-2 would serve
us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the
servers
already.
Our approach is two staged - first is to limit the exposure and secondly
is
to be as secure as possible on the traffic that is exposed. Since these
server farms do email, web hosting and other public facing service
provider
tasks I believe we'll be better investing in IDSM blades or similar...
Another option was to put a pair of Juniper IDP boxes on those VLAN's
and
use STP to dump the traffic through them...
Thoughts? I realize this is kind of a very brief overview - don't want
to
bore everyone with our security policies ;)
Thanks,
Paul
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list