RE: IDS Best Practice

From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Sat Oct 15 2005 - 17:20:51 GMT-3

• Next message: Michael Calhoon: "OT: Remote rebooting"
• Previous message: Paul Patrick: "RE: IDS Best Practice"
• Maybe in reply to: Tim: "IDS Best Practice"
• Next in thread: Ganesh Iyyappan \(IT\): "RE: IDS Best Practice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually with the updated .SDF files and the built-in signatures you can
get more like 700-800 signatures. The common mistake with the .SDF file
is that when people configure the router with the new .SDF file it winds
up replacing the built-in signatures instead of adding the .SDF
signatures to the built-in signatures.

Later.

Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
VP of Internetworking Technologies

www.certified-labs.com

"Complete CCIE R&S and Security Online Rack Rentals"

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Paul Patrick
Sent: Saturday, October 15, 2005 4:21 PM
To: 'Tim'; ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: IDS Best Practice

Tim,

The new ISR routers support up to 500 signatures (256.sdf) which can be
configured to alarm, drop, reset, or any combination. For a small
business with limited budget and IT staff, it makes sense to run IDS/IPS
on the perimeter router.

More info can be found at:
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
0327257.shtml

P.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tim
Sent: Saturday, October 15, 2005 9:04 AM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: IDS Best Practice

Hi guys,

Since it's possible to enable some IDS functionality in IOS on a
perimeter router, is there any rule of thumb or BEST Practice on the
issue of what IDS functionality should be implemented on a router versus
on the IDS itself?

Obviously, if you have both a router and an IDS, all IDS can be
implemented on the IDS itself but I'm wondering if there would be any
benefit to enabling

a few signatures - perhaps those that block DOS attacks - on the router.

Also, when IDS is enabled on a router interface that also has an inbound
acl, which processing takes place first? The IDS or acl?

Any guidance or insight would be greatly appreciated.

TIA, Tim

• Next message: Michael Calhoon: "OT: Remote rebooting"
• Previous message: Paul Patrick: "RE: IDS Best Practice"
• Maybe in reply to: Tim: "IDS Best Practice"
• Next in thread: Ganesh Iyyappan \(IT\): "RE: IDS Best Practice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3