Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: cisco ids

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    106

    cisco ids

    has anyone ever used the ids funtionality that is built into the latest pix versions? i am wondering what other people think about it?


    bueller...bueller...anyone...anyone

  2. #2
    Member
    Join Date
    Jul 2002
    Posts
    38
    I have played around with it for the past couple of years. The PIX IDS functionality has improved quite a bit, but it is still very limited. Cisco is limiting the signature base on the PIX to those potential attacks that can concretely be identified as attacks and blocked at the exterior firewall level. I currently don't choose to do this since I don't want to block legitimate traffic. I'll let my more sophisticated IDSs do that...

    Since Cisco has released their own network IDS, I think they plan to keep the PIX signature base quite low. I have also played around with the Cisco IDS blade for the 6500-series switch chasis and it is coming along, but still not close to where the other commercial network IDS leaders are at.

    Back to the PIX... Let the firewall do it's job, let the IDS do it's job... If you don't have an IDS, give Snort a try--it's easy to install, set up, it's free, and has the largest attack signature base in the world. If you have the money to go the commercial route, ISS's new network IDS (v7.0) has come a long way and is a big improvement over their previous versions.

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    so far ids feature in the pix did not look like it was as robust as a dedicated ids. as you mentioned, since they have their own ids product, it would make sense for them to keep the ids functionality limited on the pix.

    as for snort, i am trying to learn more about it now.

    thx abberration
    just making some minor adjustments to your system....

  4. #4
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888

    Cisco 2620 Router

    Hi aberration,
    I have recently purchased this router new and it has been brought to my attention that it has some IDS or Firewall capabilities, I am sure Cisco will charge me a mint to activate these functions, also there is supposed to be a user friendly config utility for this router that they want some $4500.00 US for this software utility, can you enlighten me ( us at AO ) on this?

    Sorry ol' jeb if this is off the subject of your original topic discussion....forgive me I am a newbie
    I have a question; are you the bug, or the windshield?

  5. #5
    Member
    Join Date
    Jul 2002
    Posts
    38
    Cisco has been wavering on their stance when it comes to configuration utilities for their products. When we purchased their PIX firewalls, they threw in the configuration apps with the appliances (I would hope so after we spent about $160K with them...). In terms of configuration of the routers and FWs, I just use a "telnet-based" connection using TACACS+ (provides session encryption) and manual ACL (access control list) creation. Once you get the hang of it, it's pretty easy and the manuals are usually very helpful. Specific to the 2620, I'm not too sure, since the lowest I have gone is the 3000-series. I can't imagine Cisco would treat their appliances too different and most use the standard IOS.

    But, it really depends on your traffic loads. If you expect your device to hit 50%, you won't want to enable the IDS as it dramatically increases utilization. I have enabled some traffic filtering on my border/edge routers (prior to the external firewalls), but I try to limit it to keep my routers healthy. As for the PIX, those things are workhorses and I have a tough time even getting one of them to breath heavy (the routers will begin to drop packets, while the PIX sits at 10-15% utilization).

    If you have specific filtering, traffic mgmt questions, I may be able to help you out...

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

  6. #6
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888

    Cisco 2620 Router

    This is an excerpt from a post I made earlier to give you an idea of my use, I have an ISP in my small, 3000 or so population, town. The present modem box has 48 56k v90 modems and I have another MAX6000 with 96 of the same waiting to go into use when I need it.

    This may enlighten those of you that might be curious about my "modem" this box cost me $12,500.00 I have this connected to 2 digital T1's (DCS Circuits) for my dial in customers, a Cisco 2620 Router connected to 2 Fiber Optic T1's to the internet, and 1 Compaq Proliant 6500r server for Authentication and 3 Compaq Proliant 2500r servers for mail, DNS, and Web server all running RAID 5 SCSI hot pluggable hard drives, dual hot pluggable pwr supplies, and UPS's for each pwr supply...etc. The link will give you all you might need to help me figure this out...I have tried everything I know up until now.

    http://www.lucent.com/knowledge/doc...aleId+1,00.html
    If you expect your device to hit 50%, you won't want to enable the IDS as it dramatically increases utilization. I have enabled some traffic filtering on my border/edge routers (prior to the external firewalls), but I try to limit it to keep my routers healthy.
    Do you think this might overload this router?
    I have a question; are you the bug, or the windshield?

  7. #7
    Member
    Join Date
    Jul 2002
    Posts
    38
    From a sheer bandwidth perspective, you should be alright. I wouldn't expect your utilization to be above 20-30% with normal, average user use (of course, this is highly dependent on the number of subscribed customers you have and how many you expect to be on at any given time; if you implement more modems on your bank, you should still be doing pretty well). By implementing the IDS functionality, you could hit 50%, but that is a high estimate and still acceptable for solid router functionality.

    If you have the open ports available, you may want to use spanning sessions on the router to direct traffic to a Snort box to see if the IDS functionality on the router would even be necessary. Due to the limited set of signatures with the Cisco router/firewall appliances, very few alarms will be triggered and you may not get a very good feel for what may really be happening over your network. For example, if someone dialed in is infected with a virus or trojan, the Cisco router/firewall IDS functionality won't pick up on it, yet it could consume valuable bandwidth (e.g., Code Red/Nimda). Also, if someone really wants to target your network (i.e., DoS), enabling the IDS functionality will only aid in the attacker's purpose.

    My advise is to use spanning sessions to see what's out there and to use the results to more finely tune your router to specific conditions that it can do something about. You could also set up a syslog server, log all accepts and denies, and grep for specific traffic patterns.

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

  8. #8
    Junior Member
    Join Date
    Jul 2002
    Posts
    6

    Talking IDS & Firewalls

    I tend to shy away from combination Firewall/IDS devices. One of the main purposes of an IDS is to detect if someone has defeated your perimeter defenses (firewall). If the IDS and the perimeter firewall are one and the same, a question about the reliability of such a device comes into question if that device is defeated.

    That aside, Cisco's IDS has never truly impressed the critics. Although it always gets a decent rating, they rarely end up on top. Here are a couple of reviews on IDS's that include Cisco's.

    http://www.nwfusion.com/reviews/2000/1218rev2.html
    http://www.scmagazine.com/scmagazine...stc/prod1.html

    And a basic Q&A to each of the vendors regarding their products.

    http://www.gocsi.com/ques.htm

    I did an IDS review about a year ago. My preference is ISS's Realsecure. There's probably nothing wrong with the Cisco product (the Cisco product was not part of the review), but for my money, I'd rather look at a product made by a company whose focus is IDS, not networking, firewalls, switches, VPN concentrators, etc...

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Mikhail2, out of curiousity, what version of ISS were you playing around with. I have messed around with version 5.0 - 7.0 and until the very recent versions 6.5/7.0, I was pretty unimpressed. We have test LAN's to evaluate new things as they come out and it was rather disturbing (especially at 5.0) to watch the ISS sensor with its tweaked signature load, completely miss 90% plus of the attacks...

    As far as the PIX ids goes, we played around with the added feature because we had idle CPU cycles sitting around and it was interesting to see the results; however, I wouldn't come close to making that my only source of information. Better to spread out your IDS capabilities across different platforms/vendors, they all have their own strengths/weaknesses. I personally would be interested in a firewall with an IDS capability, although you are primarily interested in knowing what got through, it is also good to know before hand that someone is trying to attack you or probe you...And in the case of obvious, known attacks like nimda, code red, etc, just drop the packet...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    I know of a large credit card company that does in the range of 3000 transactions per second, who also told me that their Crisco IDS blades in their gig 6500s "fall over all the time".

    also, on a side note, why would you want to have an ids that is using sigs anyway? The ids is only as good as its last update right? What do you guys/gals think about protocol anomoly as a method for intrusion detection?
    freedom is a road seldom traveled by the multitude

    freedom aint free

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •