Re: Advice on IDS product - Pt 2
From: SysAdm (wjones@sitesmith.com)
Date: 02/16/03
- Next message: Duane Arnold: "Re: Black Ice is bad stuff! BEWARE!"
- Previous message: svek: "Re: Gateway"
- In reply to: Dee Bee: "Advice on IDS product - Pt 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "SysAdm" <wjones@sitesmith.com> Date: Sun, 16 Feb 2003 01:59:04 +0000 (UTC)
"Dee Bee" <db2853@whycertainly.net> wrote in message
news:dh53a.7710$jR3.4075590@news1.news.adelphia.net...
> Hello... Just posted a question about IDS products and got several
> informative responses. I'm now looking into RealSecure, or upgrading my
> Cisco IOS to the FW/IDS version as the two most likely ways to go.
>
> The answers raised a couple of additional questions though...
>
> * My first posting mentioned that I had a Web server, proxy server, and
> Terminal Services to protect. Everyone mentioned loading software on those
> machines, which (probably due to my inexperience in this area) surprised
me.
> For performance and simplicity I had planned to drop another box in
between
> the Cisco router and the switch that those machines are connected to... no
> extra processes on my servers, 1 configuration to maintain, etc. Would
that
> work, or are there other considerations I'm missing?
>
> * In comp.dcom.sys.cisco I've read a few postings to the effect that
adding
> the firewall features will give me a 30% performance loss. At 1.5 million
> packets (each direction) per day, is that a valid concern?
>
> * What's the learning curve for IOS FW/IDS? Any suggested books for a
> (relative) beginner? Does it have a decent default IDS configuration, or
do
> I need to "build" all of the needed IDS rules from scratch?
>
> Thanks again!
>
> Dee Bee
>
1st question answer:
security isnt just a single plug-in solution, its layered. hence a firewall
is only part of the solution/equation. as far as IDS is concerned, there is
NIDS and HIDS (network / host) -- think of it as the NIDS looking at packets
coming into your IP environment, and HIDS which looks at packets specific to
a host. Security is not a 1-box-stop. Its oh so much more than that.
question 2:
Of course, its true to say that there would be a direct performance loss for
installing and running the IDS/FW IOS on your 2600 -- but then youre asking
the router cpu to do much more than just layer3 routing. Only you can
answer if your 2600 is up to the job, and the only way you can do that is to
know how much work your 2600 is presently doing. If your stats are 1.5M
ppd, then you have nothing to worry about. Even the 2610 can handle
15Kpps... (remember though, as soon as you start thinking about VPNs then
you *will* see real performance issues -although, luckily for you, there is
an AIM module which will plug in and take all the encrypt processing off the
system cpu -- its good for 300 3des tunnels (*i havent tried that, and I
doubt it v.much, but thats ciscospeak for you*)
question 3:
if you know IOS, the fw/ids feature set is pretty easy to setup - it comes
with a load of defaults preconfigured (eg. IDS signatures etc). cisco.com
has a plethora of information for setting up these devices, and its all
freely available. if you are a beginner with IOS (or maybe even
networking) then I would honestly recommend you either start studying (start
with ccna), or get someone in who knows it. Whats the point of putting a
*security* solution in incorrectly ?
SysAdm
- Next message: Duane Arnold: "Re: Black Ice is bad stuff! BEWARE!"
- Previous message: svek: "Re: Gateway"
- In reply to: Dee Bee: "Advice on IDS product - Pt 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
