Internet edge router & IPS

I am looking for some recommended settings or pointers for what to enable on an Internet facing edge router (ISR). Currently the defaults have pretty much been accepted with regards to the IPS setup. The router was configured initially from the CLI and I am happy with this part, but all the IPS stuff was configured from SDM. At the moment it just reports for the 338 default enabled Signatures, however it can be configured to react (drop or reset connections). I am just looking for some recommendations or pointers as to what should be enabled.
I have noticed a performance hit with IPS enabled but nothing too bad, the main bottleneck is the ISP link.
Thanks
Andy

Andy,
Generally Cisco only deny packets for the signatures which correspond to the attack sig section,also many of those would be only sending a log message rather then denying the packet.This is done to keep only the relevant signatures enabled and dropping traffic and to avoid false positives.For most of the networks,these settings would be good enough.Intergrating an ips solution into ur n/w is an ongoing process rather then one time implementation.U would need to keep an eye on the events,change the sig. accordingly for a typical cycle of 2 months.So,if you see an event which refers to an ongoing attack,enable the sig.At other times,keep it disabled as it would save a lot of cpu/memory cycles on ips ( and would save permormance bottlenack )

Similar Messages

  • Internet Edge Router and the Firewall

    What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?
    We want to pull more information from the edge router like netflow.  We can use SNMPv3 and ACLs to keep the router secure.
    But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.
    I am running an ASA and a 2821.

    I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.
    Getting Netflow from your router doesn't add much more than getting it from your ASA.
    If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.
    Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

  • Internet edge router recommendations

    Hi all,
    Can anyone recommend me a router (I'm considering ASR 1002 with 10GE SPAs) that can support the following:
    10GE interfaces
    can handle 1.5Gbps but scales up to 5-6Gbps different seasons
    take on full internet routes from 2-3 providers
    will live on the internet edge

    Disclaimer
    The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
    Liability Disclaimer
    In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
    Posting
    You might want to also consider the ASR 1002-X.
    For a Cisco "router", I don't believe there's much else in the Cisco line-up that handles 10 gig interface as a lower cost than entry level ASRs.  Some of the (entry) L3 switches with 10 gig likely will be less expensive, but such generally won't take full Internet tables, especially multiple copies.

  • IPS 4270 placement @ Internet Edge

    Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices  and basically inserting 4270 Appliance into an INLINE mode.
    Core and Distribution Switch  = Layer-3 routed links
    Distribution Switch and ASA = Layer-2 access port
    I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
    1. Interface Pairing
    2. VLAN Pairing
    3. VLAN Group
    Anyone has same experience?
    Thanks in advance ...
    Gerard

    I have a 4270-20 positioned at the edge of my network.  It sits between the outside of the firewall and our Internet router.  The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
    To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it.  This gives us complete outside protection and inside visibility.  This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS.  One internal, and one external.
    The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.

  • Is it recommended to use HSRP or multiple default between Core Layer Switch and Customer Edge Router?

    My client is asking me for following
    Client is using Router as edge device. 2  WAN links from different service provider ( each 20 Mbps)  are getting terminated on the router. There are internal servers present in the network. Client want to make setup such that even if one wan link fails  internet users should be able to access web server. Moreover if the edge router fails there should be secondary edge device so that there is device redundancy ?
    As per my understanding, in this scenario we need to do static one - to - one natting(belonging to WAN interface subnet). If we use two routers as Customer edge ans if we connect core layer switch to these two router, is it recommended to use HSRP/VRRP/GLBP or two default route on core switch pointing to two routers with equal ad value. we will also track the wan link with help of ip sla.
    which is recommended solution  Router redundancy protocol or Default routes.?

    Just had another read of this post and some other points have come up.
    1) I assumed your secondary link was for redundancy but you talk about terminating both SP links on the same router in your first paragraph.
    Did you mean this or are you going to be terminating a link per router ?
    2) are you using the second router purely for backup ?
    3) something you didn't ask about but is relevant is the IP addressing. Are you using provider independent addressing or does each SP provide you with an address block.
    If it is the second then you are going to have an issue with the web server. The problem is which provider's IP do you use for the web server ie.
    if you use the primary provider IP then that will be the DNS record on the internet. If the primary router fails then the IP address will change on the secondary router but DNS will still be handing out the primary IP.
    If you enter both IPs (primary and secondary) into DNS then you would get load balancing but this means both links will be used and the secondary would not just be backup.
    In addition if one of the links fails then DNS does not know this so it will still be handing out the failed address as well as the address that is still up which means some connections will work and some won't.
    Jon

  • ACL's on the Internet Edge Routers

    I have one query on ACL's on the internet edge routers. If we configure the ACL's as per the below weblink on the edge routers, we may not get all the logs on the firewall as the traffic is filtered at the router level and we donot enable logging on the router.
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
    Unless we enable IDS on this segment there is no way of knowing any attacks towards the firewall or the router itself. I need some comments from security experts on this kind of implementation.
    Thank You very much,

    Hello Avil,
    You need to necessarily need to have an IPS on your segment to know all the attacks hitting your network !!!!! with the anti-spoof ACL applied, as given above, you are only blocking standard protocols or ports coming inside your network.. there can still be attacks on known ports that you are allowing.. if i had to capture that, i would either put an IPS on my network (or SSM card with ASA) or enable logging on devices and put a CS-MARS on my network.. MARS is an extremely useful device, focussed on increasing LAN security with real-time maps on attacks and it also will say how to stop the attack !!!! so, i guess only a couple of options here for you.... not sure if anyone else have any other options...
    Hope this helps.. all the best..
    Raj

  • Securing Internet Edge Switch

    I am fairly familiar with hardening of Cisco routers acting as an internet gateway, like enabling SSH and blocking inbound access to private range IP addressing via ACLs, disabling , but what about switches?   Is there a best practice on configuring a switch that is being used as a L3 device for internet access?
    Thanks...
    Andy

    Hi,
    For L3 switch @ internet edge, you can use the similar security restrictions (ACLs, disabling services that is not needed etc) and inaddition 'admin down' the ports that are not being used. In addition to that if the switch IP not required to advertise to interenet, do not add the default route (you may need this incase of L3 behaviour, but you can judge better).
    hth
    MS

  • ASA for internet edge and internal zones

    Hi,
    Has anyone used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
    I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Conexts will route via a L3 switch.
    Thanks,

    Thanks Varun
    I will probably configure the ASA in routed single mode and use security levels between the different zones. There is only 1 ISP in this enviroment and I also need to support VPN termination on the internet edge.
    In terms of sizing, the internet connection will be 300Mbps and the firewall throughput between zones needs to be above 500Mbps. I'm just thinking that the 5520 in active/standby will handle the internet bandwidth requirements but not the inter-zone requirements. Which model of ASA will be a good fit here?
    Thank you.

  • Traffic Policing on Service Provider Edge router.

    Hi,
    I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
    I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

    This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
    There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
    PJ

  • Edge Router-Security

    Dears HI
    please which Ports should be blocked in the Edge Router to privent the Attack to my Network from Internet ,please give me some Ports that used by Attacker

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    please i didnt run BGP on this router ,please can i protect this router or network from attack by ACL ? or need to install ASA Firewall ?
    Yes, you can protect your router from attack using ACLs.  Regarding protecting the rest of your network, i.e. do you need something like an ASA, that depends on the security needs of the rest of your network.
    What firewalls offer, that "normal" ACLs usually don't do, is basing security on session state.  I.e. Firewalls often will restrict some/much external traffic to return traffic (some host on the inside had to start the session).
    But do you need a firewall?
    Again, depending on your interior network security needs, security features of a router might be sufficient.  For example, you might only allow return traffic using a reflective ACL (http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html).  Or you might only allow TCP traffic that has the established bit set (could be spoofed but unless it matches what's expected by the directed to host, the host will drop).  If you use NAT, return traffic much match an outbound session.  Additionally, beyond ACLs, Cisco routers often support a security feature set that will provide additional firewall features, such as CBAC (http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html) or ZFW (http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html).
    A dedicated firewall device, such as an ASA, is often needed when your security requirements cannot be met by the above.  Is this true for you?  Don't know.  If you don't know, that's a question probably better answered obtaining personal consultation.  Network security, as a subject, is complex enough that Cisco offers secuity certifications from CCNA to CCIE.

  • Problems with accessing Internet through router (permanent IP)

    Hi.
    I changed hostname with sys-unconfig. Now computer has permanent IP address (non DHCP) and right hostname.
    Before this change I had access to Internet (hostname: "unknown" and DHCP).
    My computers access Internet through router.
    There is ping from my computer to router and another computer. Also other computer pings my computer.
    In DHCP tables my computer does not exist.
    I created file /etc/defaultrouter with IP of my router.
    Trying to access Internet, web browser (Mozilla) writes: "<site.com> could not be found. Please check name and try afain."
    I think there is a problem with DNS.
    How to configure my computer on Solaris 10 to access the Internet with current configuration?
    Thank you.

    To test DNS services without a browser (ie, to see if the
    system can be a DNS client), first use the command
    'nslookup'
    # /usr/sbin/nslookup sun.com
    Server: miki-class-gla.eclecticgroup.co.uk
    Address: 10.23.0.1
    Non-authoritative answer:
    Name: sun.com
    Address: 72.5.124.61
    # /usr/sbin/nslookup google.com
    Server: miki-class-gla.eclecticgroup.co.uk
    Address: 10.23.0.1
    Non-authoritative answer:
    Name: google.com
    Addresses: 64.233.167.99, 64.233.187.99, 72.14.207.99
    If this doesn't work, then your system isn't talking to a
    DNS server at all at all, so you need to check the contents
    of /etc/resolv.conf.
    If it does work, use the command 'getent' to check that your
    system as a whole is querying DNS for name-IP resolution.
    EG.
    # getent hosts sun.com
    72.5.124.61 sun.com
    # getent hosts google.com
    64.233.187.99 google.com
    72.14.207.99 google.com
    64.233.167.99 google.com
    If you don't get back IP addresses, your system isn't
    correctly configured as a DNS client.
    Look at /etc/nsswitch.conf, and find the line
    that starts 'hosts'.
    If it says
    hosts files
    then the system is not a DNS client.
    To correct this, edit that line to add the word dns on the end:
    hosts files dns
    That's it. No need to reboot.

  • IS IPSEC FEATURE REQUIRED IN THE CUSTOMER EDGE ROUTER ?

    Hi folks,
    In the context of the IPVPN (MPLS), is the customer edge router has to
    support IPSEC?
    Thanks,
    ConceptZone

    Hi
    But most of the bankings always require additional security for their last mile connections. And IPSec is always their choice, but they need to upgrade all CEs in order to run IPSec.
    jasrine47
    http://ciscorouterconfig.blogspot.com/

  • Looking for config example for qos marking on IOS edge router for UCCE

                       I was going through the UCCE SRND for QOS config, and found the following sample, wondering if someone can provide a tested config example to configur the QOS on edge router for UCCE.
    access-list 100 permit tcp host Public_High_IP any
    access-list 100 permit tcp any host Public_High_IP
    access-list 101 permit tcp host Public_NonHigh_IP any
    access-list 101 permit tcp any host Public_NonHigh_IPSecond, classify the traffic using a class map:class-map match-all ICM_Public_High
    match access-group 100
    class-map match-all ICM_Public_Low
    match access-group 101
    policy-map ICM_Public_Marking
    class ICM_Public_High
    set ip dscp af31
    class ICM_Public_Low
    set ip dscp af11Finally, apply the marking policy to the incoming interface:interface mod/port
    service-policy input ICM_Public_Marking

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    If you're going to use only two queues, and if you want to guarantee the one queue 35% of your egress bandwidth, you need to assign your two queues the ratio of 65:35; you'll need to adjust the four queue percentages to provide those two queues the same ratio.  Ideally you'll want something like share 0 65 35 0, but if you cannot assign zero, something like 40 13 7 40, 20 39 21 20, 10 52 28 10 should do.

  • Deny ICMP to Edge Router

    I am looking for an ACL I can put on my edge router to deny ICMP and telnet to my WAN port. The network has an internal firewall that is protecting the network but I think I should also deny access to my router from the outside. thanks in advance

    Along with Jorges link, here's an ACL that conforms to DIACAP certification.
    ip access-list extended [ACL Name]
    remark Allow BGP
    permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]
    permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp
    remark Deny Historical Broadcast
    deny ip 0.0.0.0 0.255.255.255 any log
    remark Broadcast
    deny ip host 255.255.255.255 any log
    remark Local Host
    deny ip 127.0.0.0 0.255.255.255 any log
    remark Private Network
    deny ip 10.0.0.0 0.255.255.255 any log
    remark Link Local Networks
    deny ip 169.254.0.0 0.0.255.255 any log
    remark Test Net
    deny ip 192.0.2.0 0.0.0.255 any log
    remark Private Network
    deny ip 192.168.0.0 0.0.255.255 any log
    remark Class D Reserved
    deny ip 224.0.0.0 15.255.255.255 any log
    remark Class E Reserved
    deny ip 240.0.0.0 15.255.255.255 any log
    remark Private Network
    deny ip 172.16.0.0 0.15.255.255 any log
    remark HP Printer Default IP Address
    deny ip 192.0.0.0 0.0.0.255 any log
    remark IANA NS Lab
    deny ip 192.0.127.0 0.0.0.255 any log
    remark IANA Reserved
    deny ip 192.0.0.0 0.0.0.128 any log
    remark Unallocated / IANA Reserved
    deny ip 1.0.0.0 0.255.255.255 any log
    deny ip 2.0.0.0 0.255.255.255 any log
    deny ip 5.0.0.0 0.255.255.255 any log
    deny ip 7.0.0.0 0.255.255.255 any log
    deny ip 23.0.0.0 0.255.255.255 any log
    deny ip 27.0.0.0 0.255.255.255 any log
    deny ip 31.0.0.0 0.255.255.255 any log
    deny ip 36.0.0.0 0.255.255.255 any log
    deny ip 37.0.0.0 0.255.255.255 any log
    deny ip 39.0.0.0 0.255.255.255 any log
    deny ip 42.0.0.0 0.255.255.255 any log
    deny ip 77.0.0.0 0.255.255.255 any log
    deny ip 78.0.0.0 0.255.255.255 any log
    deny ip 79.0.0.0 0.255.255.255 any log
    deny ip 92.0.0.0 0.255.255.255 any log
    deny ip 180.0.0.0 0.255.255.255 any log
    deny ip 197.0.0.0 0.255.255.255 any log
    deny ip 255.0.0.0 0.255.255.255 any log
    remark Inbound from Own Subnet
    deny ip [Your Public Address Space] any log
    remark Block Traceroute
    deny ip any any option traceroute log
    deny tcp any any eq 27665 log
    deny udp any any eq 31335 log
    deny udp any any eq 27444 log
    deny udp any any eq 31337 log
    deny udp any any eq 31338 log
    deny tcp any any eq 16660 log
    deny tcp any any eq 65000 log
    deny tcp any any eq 33270 log
    deny tcp any any eq 39168 log
    deny tcp any any eq 47017 log
    deny tcp any any range 6711 6712 log
    deny tcp any any eq 6776 log
    deny tcp any any eq 6669 log
    deny tcp any any eq 2222 log
    deny tcp any any eq 7000 log
    deny tcp any any eq 65301 log
    remark Allow Specific ICMP
    permit icmp any host [Local Host for ICMP] echo
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    remark Deny all other ICMP
    deny icmp any any log
    remark Allow Traffic to Public Network
    permit ip any [Your Public Address Space]
    remark Deny all other Traffic
    deny ip any any log
    This does change occasionally, the most recent version is always at
    http://kb.packetpros.com/?View=entry&EntryID=10
    HTH

  • Securing Internet Connection on Internet Gateway Router

    Hi,
    I am looking for some suggestion as to how many different security features that should should be implemented on IOS based Internet Gateway Router.
    What are the different ways hackers attack, DoS attack, Worm Attack can be prevented on IOS routers.
    I know it is a broad question, but a list of essential measures on IOS would be helpful.
    Fawad

    Hello,
    I would recommend:
    -Stateful inspection
    -uRPF checks
    -ACL's
    -Connection limits
    With that you will cover the essentials but of course as you know you need way more than a device to protect a network.
    Regards,
    Julio

Maybe you are looking for