Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1519
Views
0
Helpful
6
Replies

.

Go to solution
littlespace
Level 1
Level 1

‎09-10-2012 01:55 PM - last edited on ‎03-25-2019 05:16 PM by Community Manager

a

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hobbe
Level 7
Level 7
In response to littlespace

‎09-13-2012 03:44 AM

Hi

Sorry for the delay in answers.

Yes and no

Lets keep this on a general basis.

The first thing you need to understand with IPS/IDS systems is that if they can not see the traffic they  can not act.

Different IDS/IPS systems have different ways if handeling this.

Some like in the ASA SSM they are installed in the firewall itself and becomes a part of the ASA.

Others like fx SNORT can be used are using a server that is connected to a mirror port to a switch and just listens in on what the traffic tells it.

My own personal experience is that I would rather have a IDS/IPS that is not part of any other system so that if someone attacks and overcomes the firewall then atleast i can get alarms that something is very much not right.

When you have addad your IDS/IPS you now need to setup the baseline parameters or it will go of for manythings that just are not true ie false positives and you will drown in a flood of alarms.

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
hobbe
Level 7
Level 7

‎09-10-2012 02:50 PM

Hi

There are several things you can do.

One good choise would to use an IDS system.

Another would be to use a "honey net/pot" solution

And since you have a 6509 maybe a firewall blade would not be way wrong ?

To start with if you have very few funds for this I would start with setting up some "traps".

choose some ip addresses that is not used and setup somethings that gives up an arp response for those adresses.

Then setup access-lists that either allows (or denies depending on your preferences) access to the addresses choosen.

since those addresses are not in use you can use the logging function on the access-list to get a response on who is doing things that they are not supposed to.

You can also setup logging on all servers and workstations to show who is accessing what and how.

just some easy things of many that you can do.

Good luck

Hope This Helps

0 Helpful

Go to solution
littlespace
Level 1
Level 1
In response to hobbe

‎09-10-2012 02:58 PM

Thanks for your reply, Do you have an experience of installing a IDS in LAN?

0 Helpful

Go to solution
hobbe
Level 7
Level 7
In response to littlespace

‎09-10-2012 03:10 PM

Hi

Yes I have some experience with it.

A IDS/IPS system is quite a big thing to install.

It takes a lot of tuning to get it very good, but it is a very nice tool to have when it works.

there are many different systems out there.

HTH

0 Helpful

Go to solution
littlespace
Level 1
Level 1
In response to hobbe

‎09-10-2012 03:25 PM

Interesting, Do you have a model number or more detail on that?

Thanks,

Mike

0 Helpful

Go to solution
hobbe
Level 7
Level 7
In response to littlespace

‎09-13-2012 03:44 AM

Hi

Sorry for the delay in answers.

Yes and no

Lets keep this on a general basis.

The first thing you need to understand with IPS/IDS systems is that if they can not see the traffic they  can not act.

Different IDS/IPS systems have different ways if handeling this.

Some like in the ASA SSM they are installed in the firewall itself and becomes a part of the ASA.

Others like fx SNORT can be used are using a server that is connected to a mirror port to a switch and just listens in on what the traffic tells it.

My own personal experience is that I would rather have a IDS/IPS that is not part of any other system so that if someone attacks and overcomes the firewall then atleast i can get alarms that something is very much not right.

When you have addad your IDS/IPS you now need to setup the baseline parameters or it will go of for manythings that just are not true ie false positives and you will drown in a flood of alarms.

HTH

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎09-10-2012 02:52 PM

Active Directory CAN block/deny the program being run.

0 Helpful
Customers Also Viewed These Support Documents