Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS 4215, right place for a sniffing interface (DMZ or LAN)

from [Gary Halleen] Network Security [Permanent Link]
Subject: Re: IDS 4215, right place for a sniffing interface (DMZ or LAN)
Date: Tue, 03 Apr 2007 18:09:40 -0700 
Zillah,

The first thing you need to do is upgrade your sensor to version 5.1 or 6.0.
You have 4.1 software, which is no longer supported.  If you have
maintenance on your sensor, the upgrade is no charge.  If you do not have
maintenance (called Services for IPS), then you'll need to take care of that
first.

The 4215 sensor has only two interfaces, and you need one for command and
control.  This is the interface that you'll assign an IP address to and use
for management purposes.

The other interface is Fast Ethernet (10/100), even though it doesn't look
like it to you from the show version results.

You can use this in inline mode (IPS mode) by enabling multiple VLAN
interfaces on the sniffing interface.  With IPS 5.1 or higher, you can
create VLAN groups, where traffic that arrives on one VLAN is automatically
mapped to a different VLAN.

More information is available at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration
_guide_chapter09186a008055df7d.html#wp1047718

Gary



On 11/28/06 8:20 AM, "zillah" <saadelias@hotmail.com> wrote:



I have got at work this sensor with two interfaces only, I have been asked to
check that

IDSWORK# show version
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47

OS Version 2.4.18-5smpbigphys-4215
Platform: IDS-4215

one interface which is Ethernet 0 (not FastEthernet) connected to switch in
DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor
DMZ zone not switch 4005 (since I have got only two interfaces, my
case),,,Am I right ?

That means Ethernet 0 should be for sniffing (monitoring)since it is
connected to DMZ,and interface 1 for command and control since it is
connected to 4005 switch, but according to cisco specification

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide
_chapter09186a008055df7d.html#wp1051279


Table 5-2

FastEthernet0/0: Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

FastEthernet0/1: Interfaces Not Supporting Inline (Command and Control Port)

Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet
,,,,does make any difference ?

Since I have not done that configuration , it has been done by some one
else, do I need to change that ?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Detecting Spoofed MACs was: Wired detection of rogue access points, Adam Graham
Next by Date:  IDS Security Metris, jlynnmonett
Previous by Thread:  IDS 4215, right place for a sniffing interface (DMZ or LAN), zillah
Next by Thread:  Re: IDS 4215, right place for a sniffing interface (DMZ or LAN), zillah
Indexes:  [Date] [Thread] [Top] [All Lists]