Idsm 2- IPS Deployment

Similar Messages

• Can IPS deploy traffic rate limiting policy to switch or router?

  Hello,
  I have a quick question: can IPS deploy traffic rate limiting policy to Cisco switch or router?
  As we know, IPS sensor can throttle suspicious traffic instead of blocking them, not sure if IPS can send the throttle policy to cisco swtich or router.
  Thanks,
  -Alejin

  Please find the following on what the IPS can do in terms of rate limiting (it also includes which signature and which routers, what to configure and what not to configure, etc):
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_blocking.html#wp2005501
  The above is on IPS version 7.x.
  Hope that helps.

• IDSM-2 IPS (5.x) / Cat IOS questions

  Is my understanding correct that a Catalyst 6500 running Cat IOS supports only Promiscious mode and that Cat IOS does not support IDSM-2 (5.x) Inline mode?
  Are there any plans to incorporate Inline Mode (5.x) under Cat IOS in the future, or am I missing something here?

  An upcoming version of CatIOS code will definately support inline mode.
  The IPS 5.0 code, as you're aware, was the first version of IDS code to support inline mode. With the standalone sensors, running it inline requires a physical cabling change. With the IDSM-2 in particular though, you need to be able to configure the Cat-IOS code to push traffic through the device in inline mode.
  Unfortunately getting new versions of CatIOS code out the door is not that easy, since there are about 10,000 other features (not just IPS) in the code that are also wanting to be updated, plus other new features, plus all the testing and re-testing that needs to go on before a release. Supporting inline IPS is just one of many major features scheduled for the switch software.
  The Release Notes for IPS 5.0 code do say the following:
  IDSM-2 only supports inline mode for Catalyst Software 8.4.4(1) with Supervisor Engine 1a, Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720. Inline support for Cisco IOS will be added at a later date.

• IDSM vs IPS 4200

  Hi all
  I'm trying to design a data center security solution. I have a 6509 E with sup 720 and FWSM. My concern now is whether to go for IDSM or a 4200 sensor. I know about the through put limitations of both products. Can you all highlight any other pros and cons ?
  thanks

  I would recommend going for the appliances. It gets pretty difficult to troubleshoot the network with FWSM and IDSM in the same chassis. Etherchannels, STP, MAC-Learning.......you have to look at all that to see what exactly is happening in the network and the path taken by a particular packet. Since you have a 6500, you can load balance multiple IPS sensors using ECLB.
  Also the appliances are modular, you can add interfaces etc.
  Another downside is most network monitoring/management software(s) do not supported the IDSM properly, this includes Cisco's LMS and BMC Visualis/Dashboard. You will find the IDSM as a 'disconnected' device on both the Ciscoworks Campus Manager and BMC Visualis (on the network diagrams).
  Regards
  Farrukh

• NeedHelp Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

  Dear All,
  i have idsm with IPS-K9-7.0-2-E3.pkg installed,
  i use inline mode for this idsm, and idsm place is front on server farm
  but i have some problem that one segment in my network cant access the server
  but another segment can access that server,
  that server is oracle database aplication (real time)
  in this is happend only for that server.
  when i filter the traffic with idsm, the result that transaction match with
  signature number 7000, evenly that signature dont have action to deny the traffic,
  the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
  evenly other segment can access that server normally.
  anyone can explain to me why this happen??
  ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
  anyone can help me please..

  Hi Josh..
  This is my answer
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?
  Im not yet  downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
  This is capture from my isdm
  OTIDSM# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E3
  Host:                                                        
      Realm Keys          key1.0                               
  Signature Definition:                                        
      Signature Update    S425.0                   2009-08-17  
      Virus Update        V1.4                     2007-03-02  
  OS Version:             2.4.30-IDS-smp-bigphys               
  Platform:               WS-SVC-IDSM-2                        
  Serial Number:          SAD132802TL                          
  Licensed, expires:      20-Oct-2010 UTC                      
  Sensor up-time is 2 days.
  Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
  boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            
  Upgrade History:
    IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009  
  Maintenance Partition Version 2.1(3)
  Recovery Partition Version 1.1 - 7.0(2)E3
  Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
  On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue. That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue
  What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
  And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
  If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.
  Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
  If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.
  Oke,  I will…
  Btw, thanks for your help boss
  GBU …

• Need assistance on IPS 4260 deployment

  HI,
  what is the maximum number signature can be compiled on IPS 4260 (Version 7.0(2)E4)
  and what are the essential signature need to be applied on IPS.
  what is the best paractice need to be followed during IPS deployment and signature fine tuning.
  your prompt reply will be appreciated.

  From the software download section on CCO, follow this branch:
  http://tools.cisco.com/support/downloads/go/Model.x?mdfid=282539293&mdfLevel=Software%20Version/Option&treeName=Security&modelName=Cisco%20IPS%20Sensor%20Software%20Version%206.2&treeMdfId=268438162
  Intrusion Prevention System (IPS)
       IPS Appliances
            Cisco Intrusion Prevention System
                 Cisco IPS Sensor Software version 6.2
  Installation instructions:
  http://www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwImage.html#wp1142504
  - Bob

• IDSM CPU 1 High Probleme

  Hi everyone.
  My name is wan tae kim in korea.
  I have the question to idsm problem.
  Is using idsm by ips mode in our customer.
  Cpu1 will be continued in 100% state but does not know cause.
  Is used by Inline mode but need Configuration verification.
  I want to receive steers of many persons.
  I ask counsel whether take Configuration.
  IDSM Configuration:
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  overrides deny-packet-inline
  override-item-status Enabled
  risk-rating-range 90-100
  exit
  general
  global-overrides-status Enabled
  exit
  exit
  service host
  network-settings
  host-ip x.x.x.x/25,x.x.x.x.
  host-name R_Core2_IDSM
  telnet-option enabled
  access-list x.x.x.0/24
  access-list x.x.x.0/24
  access-list x.x.x.0/24
  access-list x.x.x.x/32
  exit
  time-zone-settings
  offset 540
  standard-time-zone-name GMT+09:00
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  signatures 2152 0
  engine flood-host
  rate 100
  exit
  exit
  signatures 5684 2
  alert-severity medium
  exit
  signatures 13003 0
  engine traffic-anomaly
  event-action produce-alert
  exit
  exit
  signatures 13003 1
  engine traffic-anomaly
  event-action produce-alert
  exit
  exit
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service analysis-engine
  virtual-sensor vs0
  description default virtual sensor
  physical-interface GigabitEthernet0/7
  physical-interface GigabitEthernet0/8
  exit
  switch Configuration:
  monitor session 3 source vlan 305
  monitor session 3 destination intrusion-detection-module 9 data-port 1
  Thank you.

  Hi Wan Tae Kim,
  The 100% CPU utilization is actually expected behavior and should not be cause for concern.  To confirm the actual load on the sensor you can use the command:
  show stat virt
  and check the line "Processing Load Percentage ="
  Additionally, you can check the output of:
  show int
  and verify that the number of "Receive FIFO Overruns" is low/zero, indicating that the sensor is able to keep up with the rate of traffic being sent to it via your SPAN session.
  Here are examples of both outputs with the important lines in bold
  sensor# show stat virt
  Virtual Sensor Statistics
     Statistics for Virtual Sensor vs0
        Name of current Signature-Defintion instance = sig0
        Name of current Event-Action-Rules instance = rules0
        List of interfaces monitored by this virtual sensor = InterfacePair0 subinterface 0,GigabitEthernet0/3 subinterface 0
        General Statistics for this Virtual Sensor
           Number of seconds since a reset of the statistics = 1627117
           MemoryAlloPercent = 31
           MemoryUsedPercent = 31
           MemoryMaxCapacity = 1800000
           MemoryMaxHighUsed = 634880
           MemoryCurrentAllo = 566529
           MemoryCurrentUsed = 561597
           Processing Load Percentage = 1
           Total packets processed since reset = 7875642
           Total IP packets processed since reset = 3782287
           Total IPv4 packets processed since reset = 3755319
           Total IPv6 packets processed since reset = 26968
           Total IPv6 AH packets processed since reset = 0
           Total IPv6 ESP packets processed since reset = 0
           Total IPv6 Fragment packets processed since reset = 0
           Total IPv6 Routing Header packets processed since reset = 0
           Total IPv6 ICMP packets processed since reset = 94
           Total packets that were not IP processed since reset = 4093355
           Total TCP packets processed since reset = 204508
           Total UDP packets processed since reset = 2252490
           Total ICMP packets processed since reset = 14688
           Total packets that were not TCP, UDP, or ICMP processed since reset = 1310601
           Total ARP packets processed since reset = 2923053
           Total ISL encapsulated packets processed since reset = 0
           Total 802.1q encapsulated packets processed since reset = 0
           Total packets with bad IP checksums processed since reset = 0
           Total packets with bad layer 4 checksums processed since reset = 268
           Total number of bytes processed since reset = 1029553988
           The rate of packets per second since reset = 4
           The rate of bytes per second since reset = 632
           The average bytes per packet since reset = 130
        Denied Address Information
           Number of Active Denied Attackers = 0
           Number of Denied Attackers Inserted = 0
           Number of Denied Attacker Victim Pairs Inserted = 0
           Number of Denied Attacker Service Pairs Inserted = 0
           Number of Denied Attackers Total Hits = 0
           Number of times max-denied-attackers limited creation of new entry = 0
           Number of exec Clear commands during uptime = 0
        Denied Attackers and hit count for each.
        Denied Attackers with percent denied and hit count for each.
  sensor# show int
  Interface Statistics
     Total Packets Received = 29934896
     Total Bytes Received = 4010927826
     Missed Packet Percentage = 0
     Current Bypass Mode = Auto_off
  MAC statistics from interface GigabitEthernet0/0
     Interface function = Sensing interface
     Description = Connected to Attacker Switch
     Media Type = TX
     Default Vlan = 0
     Inline Mode = Paired with interface GigabitEthernet0/1
     Pair Status = Up
     Hardware Bypass Capable = No
     Hardware Bypass Paired = N/A
     Link Status = Up
     Admin Enabled Status = Enabled
     Link Speed = Auto_100
     Link Duplex = Auto_Full
     Missed Packet Percentage = 0
     Total Packets Received = 4095925
     Total Bytes Received = 298897396
     Total Multicast Packets Received = 3431616
     Total Broadcast Packets Received = 0
     Total Jumbo Packets Received = 0
     Total Undersize Packets Received = 0
     Total Receive Errors = 0
     Total Receive FIFO Overruns = 0
     Total Packets Transmitted = 664379
     Total Bytes Transmitted = 42520256
     Total Multicast Packets Transmitted = 0
     Total Broadcast Packets Transmitted = 0
     Total Jumbo Packets Transmitted = 0
     Total Undersize Packets Transmitted = 0
     Total Transmit Errors = 0
  Best Regards,
  Justin

• IDSM-2 Inline mode operation - cat6000 Hybrid

  Hello, is the inline mode operation on the IDSM-2 IPS 5.1 only supported with catos 8.4(1)?
  Thanks!

  I agree, the IPS 5.1 release notes http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/prod_release_note09186a0080574954.html#wp1068104 says it requires 8.5(1) go figure.

• IDSM missing traffic on trunk interface

  Hi
  I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
  Monitor setup is like this
  monitor session 10 source interface Gi1/2
  monitor session 10 source interface Gi7/1
  monitor session 10 filter vlan 22 - 23 , 208
  monitor session 10 destination intrusion-detection-module 5 data-port 1
  where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
  The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
  Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
  Regards
  Fredrik Hofgren

  What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
  It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
  /Fredrik

• ASA IPS Transparent Design Solution Needed

  I have a query on IPS deployment. I have a customer with the following setup.
  One Internel Cisco L3 switch connects to ---> Two 5520 ASA firwalls in HA mode active/standby connects to another privae network.
  Now I am asked to put a ASA 5525-X series IPS between the L3 switch & ---> Two ASA firwalls.
  What are the implementation options available with out touching any config on L3 switch or two 5520 ASA firwalls
  Can I set this up in a transparent mode?

  You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.
  The "best option" depends on cost and product support.
  Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality
  You could find some AIP-SSM modules. End of sale was March 2013, so you'll have to buy some used. Put them into your existing 5520s. You can still get almost 5 years of licensing and support form Cisco on them: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727284.html
  Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.
  Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.
  - Bob

• Asdm-idm laucher

  What is the latest version available for the asdm-idm launcher?. I am currently on 1.5(37) and it stopped
  working yesterday. If I use it I get a pop-up box stating that a new version is available and that I need to upgrade. Well the upgrade is not working
  even thou I select upgrade it just comes back again with the same box. I used this launcher for several of my
  cisco devices (ASA / IDSM / FWSM /IPS). I cleared the cache for the IDM and the JAVA but nothing cant get it to work again. Any suggestions or advise would be great! Thanks

  SOLUTION : upgrade the asdm image to asdm-631.bin. remove once again all .asdm and .idm files. clear out the java cache, uninstall the adsm-idm luancher. reboot your machine. use https://x.x.x.x  to access the device. you will get an upgrade messag but this time it will work. it will upgrade from 1.5(46) to 1.5(40) - continue download the launcher and save settings. use the launcher to access the device. you should no longer receive any "upgrade" messages and the launcher will work correctly.
  The Java VM upper memory limit of ASDM 6.3 has been increased. Older versions of ASDM may not have enough available memory for IDM and 7.0(3) to function properly.
  Please find enclosed the release notes of the engine E4:
  http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/21671_01.html#wp1226708
  many thanks to all that was helping on this problem

• Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

  I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
  However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
  In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
  Note that the host 6500 is running native IOS 12.2(18)SXE.
  Thanks for any assistance.

  A tranparent firewall is a fairly good comparison.
  Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
  If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
  Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
  The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
  The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
  The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
  An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
  Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
  Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
  In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
  The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
  The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
  Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
  For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
  Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
  So you have the following pairs:
  10/510, 11/511, 12/512, etc...
  300/800, 301/801, 302/802, etc....
  You set up the sensor port to trunk all 40 vlans:
  set trunk 5/7 10-20,300-310,510-520,800-810
  (Then clear all other vlans off that trunk to keep things clean)
  In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
  Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
  At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
  Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

• IPS mode with IDSM-2 module on Cat6K

  Hi,
  I have installed the IDSM-2 module on the Catalyst 6509 switch, now I was refering to the configuration guide for IPS 6.0 there are multiple modes I can configure like inline, inline vlan pair, Promiscuous & vlan group mode.. so I'm thinking which one would be the best solution...
  The catalyst 6509 is acting as the CORE/Distribution with multiple Vlan's (around 20 vlans) configured, and customer wants the IPS to be deployed in such a way that it covers the traffic from all the vlans..
  Also note that there is a redundant Cat6509 switch which also has got the IDSM-2 module installed, so can these both IDSM-2 modules be installed in active/standby or active/active combination...
  can someone through some lights on the same please...
  Regards
  Vijay.

  A sensor can enter bypass mode for several reasons, including, but not limited to:
  1) Analysis Engine reconfiguration
  2) Global  Correlation updates
  3) Daily Signature DB self purg
  4) sensorApp failure
  Most of these reasons are benign. I have written Supportability Enhancement CSCtg69012 so that each bypass log will show the reason for entering bypass mode.
  The bug is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.
  You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.
  To fully diagnose your issue, I suggest opening a TAC case where we will request a "show tech," including debug level logs. This will allow us to see what is triggering the sensor to enter bypass mode.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• Idsm 2- Inline Mode Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  In an inline VLAN-pair scenario, the IDSM2 will bridge the VLANs together using VLAN tag swapping.  Below is a quick topo sketch of an inline design where this might be used.
  6500 MSFC--VL10--(inside) FWSM (outside)--VLAN 11--IDSM--VLAN 111--RTR--INTERNET
  In the example above, the FWSM outside and RTR inside interfaces sit on the same Layer 3 subnet but different Layer 2 VLANs.  The IDSM is positioned inline using an inline VLAN-pair.  Traffic leaving the FWSM towards the Internet will go into the trunk to the IDSM on VLAN 11.  The IDSM will then swap the VLAN tag to 111 before fowarding the packet down the trunk.  This process allows the traffic to be influenced into the IDSM for inspection.
  http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718

• IDSM deployment in a live network...

  Guys
  We're about to deploy an IDSM in a live 6500 with IOS 12.2(18) sxd4 sup720...
  My questions are:
  1. Are there any issues we have to consider since it is a live network ?
  2. Do we need any downtime or will it interrupt the link ?
  3. Each of the 3 sites has a pair of 6500 and each core has an IDSM...what are Cisco's best practices/recommendations since it will be an initial deployment ?
  4. Which will be the ideal to use SPAN or VACL for this such topology ?
  Your input will be highly appreciated
  TIA.

  Here are some quick answers to your list of questions...
  1. Yes, there are some things to consider. The biggest one is the answer to your second question.
  2. IIRC, you'll have to power off the Catalyst chassis prior to installing the IDSM-2 line card. Since the switch won't have power, you'll definitely impact your link(s). I'd say this is a big consideration, in light of your first question.
  3. I’m not too sure what exactly you're asking here.
  Without a better explanation of the overall network topology and where exactly the IDSM-2 sensors will actually be deployed, it's difficult to offer up anything meaningful. As for best practices, it always depends on the network topology, so we'll need more info to help. BTW, I'm not aware of any definitive "Best Practices" documentation WRT deploying IDS/IPS in specific scenarios, if that’s what you’re looking for.
  4. The choice of SPAN or VACL is usually driven by what you're trying to monitor. If you want to watch all the traffic on your “ACCOUNTING” or “ENGINEERING” VLAN, you'd use VACL. If you want to watch all the switch ports that are connected to routers (uplinks, extranets, that kind of thing), SPAN is the way to go.
  I hope this helps,
  Alex Arndt