From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Mon Oct 17 2005 - 12:38:50 GMT-3
According to the Cisco Documentation link that Ganesh listed in the
previous email, the IDS/IPS looks at the traffic first before an
access-list that is apply as "in" on an interface.
See URL listed previously for additional details.
Later.
Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Shahin Ansari
Sent: Sunday, October 16, 2005 6:24 PM
To: Christopher M. Heffner; Ganesh Iyyappan (IT); Tim;
ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: IDS Best Practice
Well I think we have to be little more specific. My understanding is
you have to mentione if you are refering to outside interface or inside
interface. If you apply your access-list to outside interface, then the
access-list should process the traffic first. But if you apply your
access-list to your inside interface, then the IDS will see the traffic
first.
Please let me know if I am missing something.
Regards-
Sean
--- "Christopher M. Heffner"
<cheffner@certified-labs.com> wrote:
> Thanks for the link Ganesh. I had forgotten that the software IDS is
> actually processed before the ACL on the router which could then
> generate false-positives.
>
> In my previous email when I said that the ACL gets processed first
> then the IDS is processed next, I was actually remembering the
> NM-CIDS-K9 IDS module process. In this case the ACL inbound is
> processed first and if it is permitted by the router then the IDS
> module will see the packet.
>
> Glad to know it is the reverse for the software based IDS/IPS IOS.
>
> Thanks again.
>
> Christopher M. Heffner, CCIE 8211, CCSI 98760 Strategic Network
> Solutions, Inc.
> VP of Internetworking Technologies
>
> www.certified-labs.com
>
> "Complete CCIE R&S and Security Online Rack Rentals"
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of Ganesh Iyyappan (IT)
> Sent: Saturday, October 15, 2005 5:05 PM
> To: Tim; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: IDS Best Practice
>
> IDS process takes place first if the audit rule is applied to the in
> direction on the interface. Here you go,
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_quick_ref
> erence_guide09186a0080113702.html
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of Paul Patrick
> Sent: Sunday, October 16, 2005 1:51 AM
> To: 'Tim'; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: IDS Best Practice
>
> Tim,
>
> The new ISR routers support up to 500 signatures
> (256.sdf) which can be
> configured to alarm, drop, reset, or any combination. For a small
> business with limited budget and IT staff, it makes sense to run
> IDS/IPS on the perimeter router.
>
> More info can be found at:
>
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
> 0327257.shtml
>
>
> P.
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of Tim
> Sent: Saturday, October 15, 2005 9:04 AM
> To: ccielab@groupstudy.com; security@groupstudy.com
> Subject: IDS Best Practice
>
> Hi guys,
>
>
>
> Since it's possible to enable some IDS functionality in IOS on a
> perimeter router, is there any rule of thumb or BEST Practice on the
> issue of what IDS functionality should be implemented on a router
> versus on the IDS itself?
>
>
>
> Obviously, if you have both a router and an IDS, all IDS can be
> implemented on the IDS itself but I'm wondering if there would be any
> benefit to enabling
>
>
>
> a few signatures - perhaps those that block DOS attacks - on the
> router.
>
>
>
> Also, when IDS is enabled on a router interface that also has an
> inbound acl, which processing takes place first? The IDS or acl?
>
>
>
> Any guidance or insight would be greatly appreciated.
>
>
>
> TIA, Tim
>
>
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3