From: Shahin Ansari (zohal52@yahoo.com)
Date: Sat Oct 22 2005 - 21:32:30 GMT-3
Chris,
Well you are right. But my point, however ambigous,
still stands. Please note the words I placed *'s
beside in the following quote which I got from your
doco:
----------------------------------------------------
If the audit rule is applied to the *in* direction on
the interface, packets passing through the interface
are audited before the *inbound* ACL can to discard
them. This alerts an administrator if an attack or
information-gathering activity is underway. Because of
this sequences of events, IDS can trigger even if the
router would otherwise reject the activity.
Audit rules that are applied in the *out* direction on
an interface are conversly auditing packets after they
have entered the router through another interface.
*Inbound* ACLs of *other* interfaces may discard
packets before they are audited. As such, IDS alarms
may be lost even though the attack or
information-gathering activity was thwarted.
-------------------------------------------------
My point is not to merely argue, just trying to help
better understanding of this product, and learn
something myself. You see how the author uses the
word 'the' in first paragraph, but the word 'other' in
the secound one? And how in both cases he talks about
inbound access-lists? Not to mentione that author
says: other interfaces *may* drop the packet in the
second paragraph. Do you agree?
Regards-
Sean
--- "Christopher M. Heffner"
<cheffner@certified-labs.com> wrote:
> According to the Cisco Documentation link that
> Ganesh listed in the
> previous email, the IDS/IPS looks at the traffic
> first before an
> access-list that is apply as "in" on an interface.
>
> See URL listed previously for additional details.
>
> Later.
>
>
> Christopher M. Heffner, CCIE 8211, CCSI 98760
> Strategic Network Solutions, Inc.
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Shahin Ansari
> Sent: Sunday, October 16, 2005 6:24 PM
> To: Christopher M. Heffner; Ganesh Iyyappan (IT);
> Tim;
> ccielab@groupstudy.com; security@groupstudy.com
> Subject: RE: IDS Best Practice
>
> Well I think we have to be little more specific. My
> understanding is
> you have to mentione if you are refering to outside
> interface or inside
> interface. If you apply your access-list to outside
> interface, then the
> access-list should process the traffic first. But
> if you apply your
> access-list to your inside interface, then the IDS
> will see the traffic
> first.
> Please let me know if I am missing something.
>
> Regards-
> Sean
>
> --- "Christopher M. Heffner"
> <cheffner@certified-labs.com> wrote:
>
> > Thanks for the link Ganesh. I had forgotten that
> the software IDS is
> > actually processed before the ACL on the router
> which could then
> > generate false-positives.
> >
> > In my previous email when I said that the ACL gets
> processed first
> > then the IDS is processed next, I was actually
> remembering the
> > NM-CIDS-K9 IDS module process. In this case the
> ACL inbound is
> > processed first and if it is permitted by the
> router then the IDS
> > module will see the packet.
> >
> > Glad to know it is the reverse for the software
> based IDS/IPS IOS.
> >
> > Thanks again.
> >
> > Christopher M. Heffner, CCIE 8211, CCSI 98760
> Strategic Network
> > Solutions, Inc.
> > VP of Internetworking Technologies
> >
> > www.certified-labs.com
> >
> > "Complete CCIE R&S and Security Online Rack
> Rentals"
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of Ganesh
> Iyyappan (IT)
> > Sent: Saturday, October 15, 2005 5:05 PM
> > To: Tim; ccielab@groupstudy.com;
> > security@groupstudy.com
> > Subject: RE: IDS Best Practice
> >
> > IDS process takes place first if the audit rule is
> applied to the in
> > direction on the interface. Here you go,
> >
> >
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_quick_ref
> > erence_guide09186a0080113702.html
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of Paul
> Patrick
> > Sent: Sunday, October 16, 2005 1:51 AM
> > To: 'Tim'; ccielab@groupstudy.com;
> > security@groupstudy.com
> > Subject: RE: IDS Best Practice
> >
> > Tim,
> >
> > The new ISR routers support up to 500 signatures
> > (256.sdf) which can be
> > configured to alarm, drop, reset, or any
> combination. For a small
> > business with limited budget and IT staff, it
> makes sense to run
> > IDS/IPS on the perimeter router.
> >
> > More info can be found at:
> >
>
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
> > 0327257.shtml
> >
> >
> > P.
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of Tim
> > Sent: Saturday, October 15, 2005 9:04 AM
> > To: ccielab@groupstudy.com;
> security@groupstudy.com
> > Subject: IDS Best Practice
> >
> > Hi guys,
> >
> >
> >
> > Since it's possible to enable some IDS
> functionality in IOS on a
> > perimeter router, is there any rule of thumb or
> BEST Practice on the
> > issue of what IDS functionality should be
> implemented on a router
> > versus on the IDS itself?
> >
> >
> >
> > Obviously, if you have both a router and an IDS,
> all IDS can be
> > implemented on the IDS itself but I'm wondering if
> there would be any
> > benefit to enabling
> >
> >
> >
> > a few signatures - perhaps those that block DOS
> attacks - on the
> > router.
> >
> >
> >
> > Also, when IDS is enabled on a router interface
> that also has an
> > inbound acl, which processing takes place first?
> The IDS or acl?
> >
> >
> >
> > Any guidance or insight would be greatly
> appreciated.
> >
> >
> >
> > TIA, Tim
> >
> >
>
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:52 GMT-3