topic idsm-vacl-help in Network Security

idsm-vacl-help

networksecurity2010 — Sun, 10 Mar 2019 12:16:08 GMT

Hello

Can someone please clarify on the below configuration

We use eigrp,bgp, multicast,ipx on the network. can someone please clarify the below config specially the access-list allow_all and the action. The access-list do have ip any any. Since we use eigrp,multicast, ipx we have added the extra lines we think are required. dont want the network to crash after the application of vlan access-list. will this cover all traffic we have?Thanks

vlan access-map IDS_CAPTURE 10
match ip address customized_traffic
action forward capture

vlan access-map IDS_CAPTURE 20
match ip address allow_all
action forward
!
vlan filter IDS_CAPTURE vlan-list 29-30,40,60,90,100

ip access-list extended allow_all
permit ip any any
permit 111 any any (ipx)
permit icmp any any
permit eigrp any any
permit pim any any
ip access-list extended customized_traffic
deny ip 10.10.60.0 0.0.0.255 10.10.40.0 0.0.0.255
deny ip 10.10.40.0 0.0.0.255 10.10.60.0 0.0.0.255
permit ip 10.10.60.0 0.0.0.255 10.10.30.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 10.10.60.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 10.10.40.0 0.0.0.255
permit ip 10.10.40.0 0.0.0.255 10.10.30.0 0.0.0.255
permit icmp any host 10.10.60.11
permit icmp host 10.10.60.11 any
permit ip any any

Re: idsm-vacl-help

Farrukh Haroon — Sun, 20 Feb 2011 07:25:48 GMT

Hello

Since you have 'permit ip any any' in the first VACL clause, no IP traffic will ever hit the second VACL clause.

Regards

Farrukh

Re: idsm-vacl-help

networksecurity2010 — Mon, 21 Feb 2011 13:14:11 GMT

Hello

Thanks for the response

ip any any in the customized_traffic has clause with action capture , can you please clarify the second clause with action as forward will not be hit. shouldnt the action capture should only capture the traffic?

my other question about the protocol number ipx (111), eigrp, igmp,pim ,we think its required though we have ip any any permit in the second clause. will can you please enhance on it.

Thanks

Re: idsm-vacl-help

networksecurity2010 — Mon, 21 Feb 2011 14:27:50 GMT

I got your point because only forwarded packets can be captured

so in my first clause i can have with action forward and capture

permit ip any any

in my second clause i can have only forward and no capture

permit 111 (ipx) any any

permit eigrp any any

permit igmp any any

then i can control which vlans i can add in the filter list to capture traffic

i have a question if you can please answer

MSFCA -vlan10---MSFC vlan20 ---fwsm vlan20. Valns 30,40,50 assigned to vlan fwsm. Valn 10 of msfc connected to ISP

then in caputre list we add vlans20,30,40,50. If a host on the interenet which gets routed via vlan 10 ( can be any ip address) say 4.2.2.16 access an ip address 40.2.2.2. This 40.2.2.2 is vlan 20

so the packet from 4.2.2.16 comes to vlan 10 on msfc for 40.2.2.2 , msfc looks for arp on vlan 20,fwsm has a static for 40.2.2.2 with 192.168.30.2 which is on vlan 30, the packet then goes from vlan 20 with source as 4.2.2.16 and nat to 192.168.30.2 from fwsm to vlan 30 . destination replies back , packet goes from vlan 30, 20 and 10

The question is packet is originated from vlan 10, goes to vlan 20 and then reach 30 and vic versa. but vlan filter and idsm is configured to capture traffic vlan 20,30. will the traffic from source 40.2.2.2 will be captured and if anything malicious will idsm fire an alert

Thanks

Re: idsm-vacl-help

Farrukh Haroon — Tue, 22 Feb 2011 08:37:36 GMT

Hello

If i understand your packet flow correctly; the packet should reach the IDSM-2 in the described scenario.

The best way is to enable the ICMP ECHO/ECHO REPLY signatures and test out the scenario.

Please rate if helpful

Regards, Farrukh