IDSM Deployment Questions

haithamnofal · ‎01-20-2007

Hi,

I am after deploying an IDSM on a 6500 SW which already has FWSM module. I want to monitor VLANs which are already protected by the FWSM; so I have some questions:

1- How would I be able to span or configure VACL for VLANs which are behind the FWSM (i.e. I am confused becuase inter-VLAN routing is not happening through the switch but through the FWSM)?

2- What would be the advantage of using VACL over SPAN with IDSM and vice versa?

3- Can the IDSM be integrated with FWSM ver 3.1 for shunning connections? I read it works with PIX but not sure if it also works with FWSM?

Thanks,

Haitham

edwakim · ‎01-23-2007

Hi Haitham,

1. I don't know if I understand your 1st question correctly. You can SPAN or build VACL to send any traffic to the IDSM from Cat6K.

2. SPAN is easier to setup but there are limitation on the number of SPAN sessions you can have in Cat6K.

VACL requires extra steps to setup than SPAN but it is more versatile. While SPAN can only send ALL the traffic from interface(s) and VLAN(s), VACL can filter specific traffic to the sensor. (for example, http and smtp only).

But also keep in mind, if you do that, then you may not see other attacks going on your network other than http and smtp based attacks.

You can find SPAN and VACL configuration guide here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752

3. Yes blocking is supported for FWSM. However, if FWSM is configured in multi-mode, blocking is not supported for the admin context. Blocking is only supported in single mode and in multi-mode customer context.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1058089

Thank you.

Edward