Solved: Re: IDS for 1841 ?

scanaan · ‎11-17-2010

i have new requirement for an IDS.
currently running a 2xT1 on a cisco 1841 with ios= advanced enterprise services 12.4.25a.
only other requirement i need is crypto feature for ipsec vpn.

i saw this document:
Cisco IOS Firewall Intrusion Detection System

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/ios_ids.html

when i try "router conf>ip audit"
i get a 'not recognized command' which i guess is b/c its not part of the 12.4 features.

i tried the ios navigator and found i might need c1841-advsecurityk9-mz.151-2.T.bin HOWEVER when using the tool i requested BOTH IP SEC & IDS no products were found.

questions:
1. what do i need for an ids with my 1841? ios? software based (like snort?) is it true i must have a network tap or a switch with a span port?
2. is there an ios that has both crypto and IDS?

thanks.

Scott Fringer · ‎11-18-2010

For the 1841 router you have two options:

install the AIM-IPS module to provide hardware-based IPS services to the router
implement the IOS IPS feature set which is software-based

You can find out more about the AIM-IPS here:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html

You can find out more about the IOS IPS feature set here:

http://www.cisco.com/go/iosips

Scott

View solution in original post

Leo Laohoo · ‎11-17-2010

Someone has successfully tried to download the IPS signature into a ISR G1 router and he said that's all he does regularly. Don't know if this'll work for you.

One more thing ... IDS on an 1841? I don't know if this has enough "umph" to do it.

Cisco Intrusion Prevention System Signatures

Scott Fringer · ‎11-18-2010

For the 1841 router you have two options:

install the AIM-IPS module to provide hardware-based IPS services to the router
implement the IOS IPS feature set which is software-based

You can find out more about the AIM-IPS here:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html

You can find out more about the IOS IPS feature set here:

http://www.cisco.com/go/iosips

Scott

scanaan · ‎11-18-2010

hello,

not IPS rather IDS, unless im missing something and the IPS includes an IDS in it?

i also have an ASA 5510 which i am not using since i lack the know how of how to use it with the 1841, the idea was to leave the routing to the 1841 and let the ASA handle the VPN and whatever else it can do (which is?) but how to make them work together etc i need to learn.

but if the ASA can do IDS it could work, buit i didnt see any product for the ASA that CAN. i saw an IPS module for the ASA however as i mentioned above i need an IDS not IPS.

any help / point of view is appreciated. so far i learned the 1841 doesnt have enough "umph". is the 2800 the next platform with enough umph?

thank you

Scott Fringer · ‎11-18-2010

The IPS options available from Cisco can be configured to operate in IDS mode; the difference being whether the device is configured to operate inline of the traffic flow (IPS) or only inspecting a copy of the traffic (IDS). Both the AIM-IPS module for the Cisco 1841 and the AIP-SSMs for the ASA can be configured to operate like an IDS by being configured in promiscuous mode.

Scott