|

Computer Security

»

IDS (Intrusion Detection System)

IDS 4215, right place for a sniffing interface (DMZ or LAN)

View: New views

4 Messages — Rating Filter: Alert me

	IDS 4215, right place for a sniffing interface (DMZ or LAN) by zillah () :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have got at work this sensor with two interfaces only, I have been asked to check that IDSWORK# show version Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47 OS Version 2.4.18-5smpbigphys-4215 Platform: IDS-4215 one interface which is Ethernet 0 (not FastEthernet) connected to switch in DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor DMZ zone not switch 4005 (since I have got only two interfaces, my case),,,Am I right ? That means Ethernet 0 should be for sniffing (monitoring)since it is connected to DMZ,and interface 1 for command and control since it is connected to 4005 switch, but according to cisco specification http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1051279 Table 5-2 FastEthernet 0/1: Interfaces Supporting Inline VLAN Pairs (Sensing Ports) FastEthernet 0/0: Interfaces Not Supporting Inline (Command and Control Port) Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet ,,,,does make any difference ? Since I have not done that configuration , it has been done by some one else, do I need to change that ?
	Re: IDS 4215, right place for a sniffing interface (DMZ or LAN) by Gary Halleen (ghalleen) :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Zillah, The first thing you need to do is upgrade your sensor to version 5.1 or 6.0. You have 4.1 software, which is no longer supported. If you have maintenance on your sensor, the upgrade is no charge. If you do not have maintenance (called Services for IPS), then you'll need to take care of that first. The 4215 sensor has only two interfaces, and you need one for command and control. This is the interface that you'll assign an IP address to and use for management purposes. The other interface is Fast Ethernet (10/100), even though it doesn't look like it to you from the show version results. You can use this in inline mode (IPS mode) by enabling multiple VLAN interfaces on the sniffing interface. With IPS 5.1 or higher, you can create VLAN groups, where traffic that arrives on one VLAN is automatically mapped to a different VLAN. More information is available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration _guide_chapter09186a008055df7d.html#wp1047718 Gary On 11/28/06 8:20 AM, "zillah" <saadelias@...> wrote: > > I have got at work this sensor with two interfaces only, I have been asked to > check that > > IDSWORK# show version > Application Partition: > Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47 > > OS Version 2.4.18-5smpbigphys-4215 > Platform: IDS-4215 > > one interface which is Ethernet 0 (not FastEthernet) connected to switch in > DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor > DMZ zone not switch 4005 (since I have got only two interfaces, my > case),,,Am I right ? > > That means Ethernet 0 should be for sniffing (monitoring)since it is > connected to DMZ,and interface 1 for command and control since it is > connected to 4005 switch, but according to cisco specification > > http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide > _chapter09186a008055df7d.html#wp1051279 > > > Table 5-2 > > FastEthernet0/0: Interfaces Supporting Inline VLAN Pairs (Sensing Ports) > > FastEthernet0/1: Interfaces Not Supporting Inline (Command and Control Port) > > Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet > ,,,,does make any difference ? > > Since I have not done that configuration , it has been done by some one > else, do I need to change that ? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
	Re: IDS 4215, right place for a sniffing interface (DMZ or LAN) by zillah :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message The first thing you need to do is upgrade your sensor to version 5.1 or 6.0. You have 4.1 software, which is no longer supported. If you have maintenance on your sensor, the upgrade is no charge. If you do not have maintenance (called Services for IPS), then you'll need to take care of that first. Thanks Gary, yes I am aware of that. The 4215 sensor has only two interfaces, and you need one for command and control. This is the interface that you'll assign an IP address to and use for management purposes. Yes you are right . According to the specification in the table 5-2 (under IDS 4125, same as mine) from the link that I have posted for IDS 4125 , FastEthernet 0/1 should be for sensing purposes,,,,,,,,,,my case since I am looking to monitor a traffic in the DMZ area, I should use Etherent 1 (not 0) for monitoring (sensing) , right now Ethernet 0 (not 1) was used, and I guess this is wrong ,,,,,,here was my query ?
	Re: IDS 4215, right place for a sniffing interface (DMZ or LAN) by Gary Halleen (ghalleen) :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message It doesn't matter which interface is used for sensing and which for monitoring as long as you use one for each. Gary On 4/4/07 7:48 PM, "zillah" <forwardtruth@...> wrote: > > > >> The first thing you need to do is upgrade your sensor to version 5.1 or >> 6.0. >> You have 4.1 software, which is no longer supported. If you have >> maintenance on your sensor, the upgrade is no charge. If you do not have >> maintenance (called Services for IPS), then you'll need to take care of >> that >> first. >> > Thanks Gary, yes I am aware of that. > > > > >> The 4215 sensor has only two interfaces, and you need one for command and >> control. This is the interface that you'll assign an IP address to and >> use >> for management purposes. >> > Yes you are right . > According to the specification in the table 5-2 (under IDS 4125, same as > mine) from the link that I have posted for IDS 4125 , FastEthernet 0/1 > should be for sensing purposes,,,,,,,,,,my case since I am looking to > monitor a traffic in the DMZ area, I should use Etherent 1 (not 0) for > monitoring (sensing) , right now Ethernet 0 (not 1) was used, and I guess > this is wrong ,,,,,,here was my query ? > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------