cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1801
Views
0
Helpful
1
Replies

IDS Module on 6k catalyst and PIX 535 aand management

p.emery
Level 1
Level 1

Hi

I would like to implement 2-3 Module of IDS on cat6k

and each IDS module will be used to monitor a Gigabit connection going to the PIX .

How many IDS on a cat 6k ? maximum ?

Management of PIX and IDS should be done from Cworks 2000 security management module now i belive or should i still need cspm 2.3 i and f on a separate workstation ?

the blocking option is still not possible with the IDS module on cat 6k but tcp reset is possible ?

thanks and best regards

hpilippe

1 Reply 1

mhossain
Cisco Employee
Cisco Employee

Hi,

The performance of a single IDSM ranges from 120 - 250 Mbps, depending on average packet size.

There are ways in which you may use the current IDSM (Catalyst 6K Line Card) to monitor Gig lines. Firstly, you may insert multiple IDSMs in the switch and direct groups of VLANs at each IDSM, depending on the aggregate bandwidth utilization of the group of VLANs that will be directed to a single IDSM. On a 6509, for example, you have 8 slots available for IDSMs. The aggregate perfomance from such a solution (ie multiple IDSMs in the chassis) would be the performance # of a single IDSM X the number of IDSMs in the chassis of the switch.

Secondly, you may use security VACLs (VLAN ACLs) to focus only on the a subset of the aggregate traffic by being able to specify layer 3/4 filtering criteria. You first designate your capture destination (sniffing port). Then based on the filtering criteria, any data data packet tagged as a capture packet is directed to the IDSM for signature anaysis. So, you may choose to only inspect http traffic from one subnet to another or only inbound traffic. So if we use the latter example, and you choose to only inspect inbound traffic on a gig line since this is what has been defined as the only security-relevant traffic, and the ratio of the outbound traffic to inbound is , say, 10:1, we could essentially monitor a gig line with a single IDSM.

The IDSM is setup initially using setup commands in CAT OS. Following this command & control is tranferred to the management console.The management consoles available for this are CSPM and the Unix Director.

Shunning (blocking) is not currently supported on the IDSM but will be supported in teh next release of the IDSM sensor s/w (CS IDSM 3.0) in the next 3-4 months.

TCP resets are not supported on the IDSM.

Let me know if you have any other questions. When you get around to deploying it, let me know so I may send you some handy tech tips/quick start docs. on this/other product(s).

Regards,

Munawar Hossain

IDS Product Manager

Review Cisco Networking for a $25 gift card