[c-nsp] IDS Recommendations - Cisco?

Paul Stewart paul at paulstewart.org
Fri Feb 6 19:24:34 EST 2009


Thanks for the response...

What we have today is ACL's on the 6500's and then iptables on the Linux
boxes for example.  This has worked fairly well and is basic to administer.
My underlying goal is to have an inline IDS solution that will actively
block (inline) on configured severe signatures - of course the tuning aspect
of this is going to take a lot of work.

A good example to paint a picture here is that some of these servers are for
web hosting.  If a client uploads a php script (example) that has a
vulnerability we would like the IDS to trip on it - again we can't have the
world but that's kind of what I have in mind.  This could be something that
triggers based on sudden SMTP activity where the script is being used
maliciously to send out spam (seen that before).  Just an example but
hopefully that helps share a bit better what we had in mind.  These servers
do a combined throughput of probably 100Mb/s at peak.

I could think of many more scenarios but at a high level I'm looking for
vendor/product recommendations based on actual usage if possible.  Since
we're primarily a Cisco shop I'd love to use something from Cisco but having
said that we want the best solution when possible.  Another option to
consider may be a Sourcefire 3D solution or similar too (powered by Snort).

Appreciate the input...
Paul


-----Original Message-----
From: Gregori Parker [mailto:Gregori.Parker at theplatform.com] 
Sent: February 6, 2009 5:11 PM
To: Paul Stewart; Cisco-nsp
Subject: RE: [c-nsp] IDS Recommendations - Cisco?

I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection.  If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into the ASA 5500, or better yet work with TAC to get
your FWSM hardware issues resolved/units replaced.

Anyways, I don't want to second-guess your architecture or reasons, but
IME it's best to have an IDSM passively monitoring a span port behind
the firewall or load-balancer.  The idea here is that you want the
limiting factor upstream from the IDS so that it's not processing
packets/connections that will be dropped/refused anyways.  The IDSM
doesn't act as a firewall, even if you choose to put it inline (I'd
recommend against that unless you really want active mitigation and your
traffic rate is well below 400mbps), and it requires much more tuning to
be useful.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 06, 2009 1:46 PM
To: 'Cisco-nsp'
Subject: [c-nsp] IDS Recommendations - Cisco?

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces
are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the
VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a
lot of
grief getting them running only to be faced with hardware failure
problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve
us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the
servers
already.  

Our approach is two staged - first is to limit the exposure and secondly
is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service
provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's
and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want
to
bore everyone with our security policies ;)

Thanks,

Paul


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list