Tying firewalls, ACLs and IDS together

From: Brad Spencer (bradsp@outworks.net)
Date: Thu Jun 17 2004 - 15:28:05 GMT-3

• Next message: Tom Rogers: "Re: 3550 Wierd OSPF E1 / E2"
• Previous message: Tom Rogers: "RE: IE lab12 task 1.14"
• Next in thread: John Underhill: "Re: Tying firewalls, ACLs and IDS together"
• Maybe reply: John Underhill: "Re: Tying firewalls, ACLs and IDS together"
• Maybe reply: Brad Spencer: "RE: Tying firewalls, ACLs and IDS together"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Everyone,

I am having difficulty understanding the processing steps taken when a
packet arrives in the following scenarios. It's my feeling that an
understanding of this will be crucial for the CCIE Security exam and for day
to day real world work. If anyone has any insight on this please reply all
to help generate a discussion on the matter. Any links to information that
could help answer the theme of these types of questions would be greatly
appreciated.

2600XM and NM-CIDS-K9 installed.

Is the packet processed by the IDS before a standard access list is checked?

Is the packet processed by the IDS before return CBAC traffic is checked?

Is the packet processed by the IDS before NAT translates the address? If
outside NAT is configured will the tcp reset or shun action be applied to
the translated or real address?

Note: It is my understanding that the single interface on the NM-CIDS-K9 is
only for 'command and control' thus only 'command and control packets' are
processed by the IDS CPU before reaching the router bus, thus immune to any
acls or NAT on the router side so I guess our discussion should focus on the
router interfaces.

CAT6k with PFS/MSFC and IDSM-2 installed

Is the packet processed by the IDS before an extended access list is
checked?

Is the packet processed by the IDS before a VLAN ACL is checked?

Is the packet processed by the IDS before return CBAC traffic is checked?
(i.e. the MLS IP inspect command)

Is the packet processed by the IDS before NAT translates the address? If
outside NAT is configured will the tcp reset or shun action be applied to
the translated or real address?

CAT6k with FWSM and IDSM-2 installed

Is the packet processed by the IDS before NAT translates the address? If
outside NAT is configured will the tcp reset or shun action be applied to
the translated or real address?

Is the packet processed by the IDS before a standard access list is checked?

Is the packet processed by the IDS before return CBAC traffic is checked?

What are inside and outside NAT considerations when dealing with a switch
with both modules installed?

Thanks!

Brad

• Next message: Tom Rogers: "Re: 3550 Wierd OSPF E1 / E2"
• Previous message: Tom Rogers: "RE: IE lab12 task 1.14"
• Next in thread: John Underhill: "Re: Tying firewalls, ACLs and IDS together"
• Maybe reply: John Underhill: "Re: Tying firewalls, ACLs and IDS together"
• Maybe reply: Brad Spencer: "RE: Tying firewalls, ACLs and IDS together"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:43 GMT-3