From: Shahin Ansari (zohal52@yahoo.com)
Date: Sun Oct 16 2005 - 19:24:27 GMT-3
Well I think we have to be little more specific. My
understanding is you have to mentione if you are
refering to outside interface or inside interface. If
you apply your access-list to outside interface, then
the access-list should process the traffic first. But
if you apply your access-list to your inside
interface, then the IDS will see the traffic first.
Please let me know if I am missing something.
Regards-
Sean
--- "Christopher M. Heffner"
<cheffner@certified-labs.com> wrote:
> Thanks for the link Ganesh. I had forgotten that
> the software IDS is
> actually processed before the ACL on the router
> which could then
> generate false-positives.
>
> In my previous email when I said that the ACL gets
> processed first then
> the IDS is processed next, I was actually
> remembering the NM-CIDS-K9 IDS
> module process. In this case the ACL inbound is
> processed first and if
> it is permitted by the router then the IDS module
> will see the packet.
>
> Glad to know it is the reverse for the software
> based IDS/IPS IOS.
>
> Thanks again.
>
> Christopher M. Heffner, CCIE 8211, CCSI 98760
> Strategic Network Solutions, Inc.
> VP of Internetworking Technologies
>
> www.certified-labs.com
>
> "Complete CCIE R&S and Security Online Rack Rentals"
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Ganesh Iyyappan (IT)
> Sent: Saturday, October 15, 2005 5:05 PM
> To: Tim; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: IDS Best Practice
>
> IDS process takes place first if the audit rule is
> applied to the in
> direction on the interface. Here you go,
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_quick_ref
> erence_guide09186a0080113702.html
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Paul Patrick
> Sent: Sunday, October 16, 2005 1:51 AM
> To: 'Tim'; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: IDS Best Practice
>
> Tim,
>
> The new ISR routers support up to 500 signatures
> (256.sdf) which can be
> configured to alarm, drop, reset, or any
> combination. For a small
> business with limited budget and IT staff, it makes
> sense to run IDS/IPS
> on the perimeter router.
>
> More info can be found at:
>
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
> 0327257.shtml
>
>
> P.
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Tim
> Sent: Saturday, October 15, 2005 9:04 AM
> To: ccielab@groupstudy.com; security@groupstudy.com
> Subject: IDS Best Practice
>
> Hi guys,
>
>
>
> Since it's possible to enable some IDS functionality
> in IOS on a
> perimeter router, is there any rule of thumb or BEST
> Practice on the
> issue of what IDS functionality should be
> implemented on a router versus
> on the IDS itself?
>
>
>
> Obviously, if you have both a router and an IDS, all
> IDS can be
> implemented on the IDS itself but I'm wondering if
> there would be any
> benefit to enabling
>
>
>
> a few signatures - perhaps those that block DOS
> attacks - on the router.
>
>
>
> Also, when IDS is enabled on a router interface that
> also has an inbound
> acl, which processing takes place first? The IDS or
> acl?
>
>
>
> Any guidance or insight would be greatly
> appreciated.
>
>
>
> TIA, Tim
>
>
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3