RE: IDS Best Practice

From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Sat Oct 15 2005 - 19:53:01 GMT-3

• Next message: Christopher M. Heffner: "RE: CCIE Voice Group Study email list"
• Previous message: brad ellis: "Re: Remote rebooting [bcc][faked-from]"
• Maybe in reply to: Tim: "IDS Best Practice"
• Next in thread: Shahin Ansari: "RE: IDS Best Practice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for the link Ganesh. I had forgotten that the software IDS is
actually processed before the ACL on the router which could then
generate false-positives.

In my previous email when I said that the ACL gets processed first then
the IDS is processed next, I was actually remembering the NM-CIDS-K9 IDS
module process. In this case the ACL inbound is processed first and if
it is permitted by the router then the IDS module will see the packet.

Glad to know it is the reverse for the software based IDS/IPS IOS.

Thanks again.

Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
VP of Internetworking Technologies

www.certified-labs.com

"Complete CCIE R&S and Security Online Rack Rentals"

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ganesh Iyyappan (IT)
Sent: Saturday, October 15, 2005 5:05 PM
To: Tim; ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: IDS Best Practice

IDS process takes place first if the audit rule is applied to the in
direction on the interface. Here you go,

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_quick_ref
erence_guide09186a0080113702.html

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Paul Patrick
Sent: Sunday, October 16, 2005 1:51 AM
To: 'Tim'; ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: IDS Best Practice

Tim,

The new ISR routers support up to 500 signatures (256.sdf) which can be
configured to alarm, drop, reset, or any combination. For a small
business with limited budget and IT staff, it makes sense to run IDS/IPS
on the perimeter router.

More info can be found at:
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
0327257.shtml

P.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tim
Sent: Saturday, October 15, 2005 9:04 AM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: IDS Best Practice

Hi guys,

Since it's possible to enable some IDS functionality in IOS on a
perimeter router, is there any rule of thumb or BEST Practice on the
issue of what IDS functionality should be implemented on a router versus
on the IDS itself?

Obviously, if you have both a router and an IDS, all IDS can be
implemented on the IDS itself but I'm wondering if there would be any
benefit to enabling

a few signatures - perhaps those that block DOS attacks - on the router.

Also, when IDS is enabled on a router interface that also has an inbound
acl, which processing takes place first? The IDS or acl?

Any guidance or insight would be greatly appreciated.

TIA, Tim

• Next message: Christopher M. Heffner: "RE: CCIE Voice Group Study email list"
• Previous message: brad ellis: "Re: Remote rebooting [bcc][faked-from]"
• Maybe in reply to: Tim: "IDS Best Practice"
• Next in thread: Shahin Ansari: "RE: IDS Best Practice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3