cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4770
Views
0
Helpful
13
Replies

Need to have a IDS/IPS system for LAN Users

littlespace
Level 1
Level 1

Hi,

I need to have a IDS/IPS for my local users in my network. we have 3xcisco 6509 in access layer switch with 4 VLANS and I am looking for a system to detect activities like Port scan, IP scan and ,... in local network from the workstations.

Please advise me.

Thanks,

Mike

3 Accepted Solutions

Accepted Solutions

Hello,

Span vlans is good, no problem at all but I would recommend 100% to go for the IPS mode instead of IDS. Way more secure and restrictive,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

No problem as you can SPAN the sessions on specific ports to the port going to the IPS.

Please check the configuration for each of the modes I presented before:

inline interface pair, inline vlan pair, inline vlan groups.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

Regarding one being cheaper than the other I cannot argue on that one

Now one will provide more features and protection than the other one but yes if you think that with the other IPS you will be good then you are set to go

Last but not least here are some links I think will help you regarding the IPS deployment ( 3 vlans ---- Inline vlan group deployment)

https://supportforums.cisco.com/message/3727610#3727610

http://securiosity.blogspot.com/2011/01/cisco-ips-vlan-groups.html

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_interfaces.html#wp1063187

http://popravak.wordpress.com/2012/03/30/cisco-ips-scenario-three-inline-vlan-pairs/

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

13 Replies 13

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Please check the following link so you can have a better understanding about the performance capacity of the IPS sensors.

Based on that you can choose the solution you can implement but that will depend on how many data traverse your network.

Hope this helps,

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I need to have 1Gbps IPS. I have checked Juniper IDP 800 and Cisco IPS 4360. which one is better?

any thought?

Thanks,

Mike

Hello,

I forget to post the link.

Here you go:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html

IPS 4260 rocks man, I am used to work with the IPS sensors so I can tell you they will provide you as much granularity as you want

They support a way extended range of features that will provide a dynamic protection to your company,

Remember to rate all of the answers. that is as important as a thanks for the community.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you Julio,

I have 3x Cisco 6509 and 1 Internet Router. I am really confuse of putting the IPS device in between of those devices.

Should I connect each switch's uplinks directly to the IPS device and then from IPS to the other Switch?

Please advise.


Thanks,

Mike

Hello,

There are several ways to implement the IPS,

The question is do you want to have it inline or on promiscous mode?

If inline you could have it as an inline interface pair, inline vlan pair, inline vlan groups.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I am thinking of IDS mode with SPAN my VLAN traffics to the IPS/IDS device.

is it a good idea to SPAN the VLANs?

like (config)#monitor session 1 source vlan 10

Hello,

Span vlans is good, no problem at all but I would recommend 100% to go for the IPS mode instead of IDS. Way more secure and restrictive,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

if I go with IPS mode and connect switch uplinks to the IPS then I can not monitor local VLAN traffic on each switch. becuse I do not have Core switch in the network and each vlan traffic will stay on the switches and will not pass the uplinks.

Hello,

No problem as you can SPAN the sessions on specific ports to the port going to the IPS.

Please check the configuration for each of the modes I presented before:

inline interface pair, inline vlan pair, inline vlan groups.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

can I span 3 vlan to 1 port which is connected to the IPS?

also I think I am going with Juniper IDP 800 becuse it is cheaper than cisco.

Thanks,

Mike

Hello,

Regarding one being cheaper than the other I cannot argue on that one

Now one will provide more features and protection than the other one but yes if you think that with the other IPS you will be good then you are set to go

Last but not least here are some links I think will help you regarding the IPS deployment ( 3 vlans ---- Inline vlan group deployment)

https://supportforums.cisco.com/message/3727610#3727610

http://securiosity.blogspot.com/2011/01/cisco-ips-vlan-groups.html

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_interfaces.html#wp1063187

http://popravak.wordpress.com/2012/03/30/cisco-ips-scenario-three-inline-vlan-pairs/

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

You are awesome! Thanks for your help.

Hello,

Glad I could help

Have a great day ( thanks for the comments and rating )

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card