IDS Question

Rex Biesty · ‎10-29-2010

Hi. We have a Cisco IDS 4215 along with 2x Cisco Pix 515e's. I manage the Pix's but know nothing about the IDS (neither does anyone else here, it was installed by a 3rd party long ago). We have a situation where traffic from an external supplier is occasionally getting dropped (they come in over a site-to-site VPN). We've already established (from the firewall syslogs) that the SYN-ACK packets are getting lost somewhere and I want to rule out the IDS. What would the consequences be of me switching off the IDS for 1 day? If problem persists then I can rule that out. If problem goes away then I'll know it's IDS and know where to concentrate my efforts.

Thanks

Rex

abinjola · ‎10-29-2010

Does the IDS box comes in the picture after packet has been decrypted on Pix's ?

a#What you can do to isolate the issue is to turn the bypass mode ON on the IDS box which would bypass packet processing and sensor merely acts as a bridge in the network, the drivers no longer sends the packet to sensorApp for processing, see if the issue persist ?

b#Secondly, if you have lot of assymetric traffic flowing than normalizers 1330's may be causing the packet drops, if from above a# you know for sure sensor is causing the trouble than you may enable assymetric flows through the sensor to isolate pointb#

let me know how it goes !!

Panos Kampanakis · ‎10-29-2010

If the packets are encrypted it doesn't make sense for SYN-ACKs to be missing. The IDS just sees encrypted UDP packet, so it can't know to drop the SYN-ACKs only. So, if that is the case, I am skeptical about it being the IDS.

Rgs,

PK

andywt123 · ‎10-29-2010

Is it an IDs configuration or

IPS? If it is an IDS that means you have a span/monitor

sending traffic to the IDs and it should not be impacting your traffic.

An IPS does have your traffic passing through it and then you would want to

put it into bypass mode. Sorry if I was stating the obvious