topic Re: FWSM & IDSM2 in Network Security

FWSM & IDSM2

estelamathew — Mon, 11 Mar 2019 18:26:19 GMT

Dear's,

Any different configuration for 6500 or IDSM-2 if i m placing with FWSM???? . I will place IDSM-2 in inline vlan pair mode,and all SVI will be created on FWSM instead of MSFC.

Any suggestion please on above design and configuration.

Thanks

Re: FWSM & IDSM2

estelamathew — Tue, 17 Aug 2010 20:18:18 GMT

Hello Dears,

Nobody has ever been before installed IDSM-2 with FWSM????? Experts i need ur hints before implementing.

Thanks,

Re: FWSM & IDSM2

mikecrowe4ICS_2 — Tue, 17 Aug 2010 23:23:30 GMT

I have implemented a a similar configuration before, except that my IDSMs were in promiscuous mode using VACLs to capture traffic. Also, my FWSMs were in transparent, multi-context mode. That certainly made things more complicated.

But, no, there's not really any "special" or different configuration you will need to do. Just remember that you will want to create 2 virtual sensors -- one for the inside network, and one for the outside.

Apart from the configuration guides for each module, as well as the 6500 config guide, I would suggest reading through some of Cisco's SAFE Reference Guide. In particular, be sure to read the chapters for Enterprise Internet Edge (Ch. 6) and Enterprise WAN Edge (Ch. 7).

Re: FWSM & IDSM2

lambay2000 — Thu, 19 Aug 2010 19:18:34 GMT

Hi,

Why we need to create 2 virtual sensors 1 for inside and 1 for outside??? Can u explain me??.

Thanks

Re: FWSM & IDSM2

Scott Nishimura — Thu, 19 Aug 2010 19:52:56 GMT

hello.

The use of two virtual sensors would be needed if the same traffic is passing through IDSM twice. If using just 1 virtual sensor and it sees it twice, it would drop it. You would see this using inline and if it was being bridged which would cause the traffic to be identical.

-scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 11:41:54 GMT

Hello,

In 1 virtual sensor also traffic is passed 2 times to IDSM-2.

Example for inline vlan pair mode.if i want to allow inter-vlan routing from vlan 100 to vlan 200.

INLINE VLAN PAIR: vlan 1 and vlan2 are real SVI interface and vlan 100 and vlan 200 are virtual just for pairing.

vlan 1 to 100

vlan 2 to 200

USER-PC SWITCH SVI SWITCH SVI USER-PC

vlan 100----IDSM--------int vlan1 SVI --- ----int vlan2 SVI-------IDSM----vlan 200

UR help will be appreciated.

Thanks.

Message was edited by: estela mathew

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 17:24:29 GMT

hi Estela,

In your situation, having the same idsm inspect at two different points of your network with the same virtual sensor should be fine as the key part is that you are intervlan routing it. By doing so, the packet is being altered and therefore the virtual sensor is not seeing an identical packet. We used to see this alot in the past when inline was a new feature and people were using 1 virtual sensor for multiple points and the traffic remaining the same due to bridging. They introduced multiple virtual sensors to get around this later on.

But with your scenario, you should not run into that problem because you are intervlan routing between the two segments.

hope that helps.

-scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 19:08:14 GMT

Hello Scott,

I did'nt understood ur reply?? The packet is being altered where ????

Can u explore more the traffic flow for normal Intervlan routing without a FWSM and second option if i place a FWSM and my users vlan wants to access servers in DMZ vlan how the traffic flow will be.

I hope very less Engineers in community has implemented IDSM-2 with FWSM,

Awaiting ur reply.

Thanks

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 19:30:59 GMT

Hi Estela,

Since you are intervlan routing the traffic, the packet's mac addresses are altered and it ttl gets decremented, etc.. these changes are seen by your IDSM virtual sensor so it treats it as new versus seeing the exact same packet -- same mac addresses, etc if it was bridged.

The intervlan routing is the key part here to preventing the virtual sensor from seeing the same packet twice when you are setting inline on both sides.

From the perspective of the IDSM, it doesnt care whether its being intervlan routed by the switch or if the fwsm is handling the routing for those vlans.

That is probably the reason why you dont read much about this as it doesnt really know about the fwsm in the switch. Are you running into a problem when you have both operating at the same time?

regards,

scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 19:53:51 GMT

Hi Scott,

Please read the thread below of MARCABAL he is also explaining to create 2 virtual sensors if FWSM is in place,but still i m not clear with the traffic flow if IDSM and FWSM together installed in 1 switch,

https://supportforums.cisco.com/thread/245833

By reading the above thread if u can help me to explore the traffic. For example if users vlan want to access DMZ Server vlan if FWSM is in place.

Question:Are you running into a problem when you have both operating at the same time?

Answer: Upcoming project may be next week.

Thanks,

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 20:02:42 GMT

hi Estela,

I'm not really seeing any problem with the description of the other link. Running with multiple virtual sensors is fine. I was just answering your question on the reasoning behind why you need to run multiple virtual sensors. Since the fwsm is handling the routing, the traffic will be routed by the fwsm. Since the IDSM is only inspecting the traffic, the inline can be put anywhere. Usually people monitor the inside and outside. The firewall doesnt care about the IDSM monitoring the traffic.

Example:

host a sends traffic on vlan 1 which is bridged by the IDSM doing inline to vlan 2. Vlan 2 is then intervlan routed to vlan 3 which is bridged by the same IDSM doing inline to vlan 4 where the server is.

That would be the path of the traffic flow.

thanks,

scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 20:29:00 GMT

Hello Scott,

Question:I was just answering your question on the reasoning behind why you need to run multiple virtual sensors.

Answer: Uptil now I was thinking of only 1 virtual sensor but Michael Crowe in the above thread he wrote to use 2 virtual sensor 1 for inside and 1 for outside,

Can u explore when we need 2 virtual sensor when inside and outside traffic is to be monitored. As usual the traffic what i was going to monitor from user vlan to server -DMZ vlan the same i will monitor for outside vlan then why michael post that we should have 2 virtual sensor for inside and outside.

From ur above reply can u answer the below question.

Question:We used to see this alot in the past when inline was a new feature and people were using 1 virtual sensor for multiple points and the traffic remaining the same due to bridging. They introduced multiple virtual sensors to get around this later on.

Answer ???

Thanks

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 20:34:23 GMT

Hi Estela,

I cant really comment on the design however, since you are using intervlan routing between the two inlines, you can get away with running one virtual sensor. You may use two virtual sensors if you want.. again, that is the reasoning for the multiple virtual sensors.

Since you have up to 4 virtual sensors, you can use two of them for this.

thanks,

scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 20:39:28 GMT

Hello Scott,

I appreciate ur replies and being with me to help , just need to be clear for each and every point rather being a Parrot engineer.

From ur above reply can u answer the below question.

Answer ???

Tell me any scenario with traffic flow explanation says that we need 2 virtual sensors

Thanks

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 20:51:05 GMT

hi Estela,

not a problem.. glad to help you. the scenario that comes to mind is if you were bridging two vlans for whatever reason maybe another external device connected to the 6500 switch. something like this:

vlan1----IDSM2-----vlan 2-----switch-------externaldevice-----switch----vlan3----IDSM2----vlan4

everything was bridged.. not sure why you would, but if it were, then the packet would be the same throughout the entire flow.

With the IDSM2, you wont really run into this much, with our external 42xx series IPS devices, you could and because the code is the same base, you would need 2 virtual sensors like this:

host A-----inline4200IPS----vlan1switch------inline4200IPS---host B

simplified.. of course.

regards,

scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 21:26:03 GMT

Hello Scott,

you would need 2 virtual sensors like this:

host A-----inline4200IPS----vlan1switch------inline4200IPS---host B

Really i did'nt understood the above diagram,

If suppose i dont have a IDSM-2 and i have a 4200 series IPS still the traffic flow is same as such it was for IDSM-2.

Pairing:real SVI created for vlan 2 and 3 and dummy vlan 1 and 4

vlan 1 to 2

vlan 3 to 4

vlan 1 vlan4

hostA--- 4200----int vlan2--------int vlan 3------4200----hostB

The above diagram is for 1 virtual sensor

Thanks

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 21:29:09 GMT

Hi Estela,

yes, that is correct.. not much difference, except in your diagram, you would be also bridging vlan 2 to vlan 3 keeping it L2 the entire way.

regards,

scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 21:39:51 GMT

Hello Scott,

Vlan 2 and vlan 3 are already bridging by 1 and 4. 1 and 4 are dummy vlan only for bridging purpose.

i made a mistake is typing in above mail pairing option

Can u explain me the below lines

With the IDSM2, you wont really run into this much, with our external 42xx series IPS devices, you could and because the code is the same base, you would need 2 virtual sensors like this:

host A-----inline4200IPS----vlan1switch------inline4200IPS---host B

thanks

Re: FWSM & IDSM2

Scott Nishimura — Fri, 20 Aug 2010 21:42:26 GMT

Hi Estela,

yes, thats correct.. if vlan 2 and 3 were also bridged, then it would be L2 straight through from both end points.

As mentioned earlier, its not as prevalent nowadays.

regards,

scott

Re: FWSM & IDSM2

estelamathew — Fri, 20 Aug 2010 21:47:40 GMT

Thank u very much Scott for ur replies,

We will continue tomorrow as it is 2:00 midnight here,and also 1 task assigned in weekend.

Thanks see u tomorrow i will review the thread again and see it gets more clear or not,

Thanking once more for being with me.