Router as OOB IDS

hypnotoadhypnotoad Posts: 915Banned
Hey Guys,

Is it possible to use a router as an OOB IDS coming off a SPAN port? I have the SPAN port ok but not sure what to do next.

Thanks,
HT

Comments

  • LOkrasaLOkrasa Posts: 343Member
    hypnotoad wrote:
    Hey Guys,

    Is it possible to use a router as an OOB IDS coming off a SPAN port? I have the SPAN port ok but not sure what to do next.

    Thanks,
    HT
    I am assuming that you are using a Router with a NM-CIDS inside... ?
  • hypnotoadhypnotoad Posts: 915Banned
    Nope, plain old 128/32 2610XM. Am I out of luck? I think I am.
  • dtlokeedtlokee Posts: 2,381Member
    Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.
    The only easy day was yesterday!
  • LOkrasaLOkrasa Posts: 343Member
    dtlokee wrote:
    Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.

    But he said IDS... Can't get IDS on a Router using just the IOS, correct? I thought the only way to get IDS on a router was via the NM-CIDS... I know that IOS supports the IPS feature but as you mentioned its designed for inline.
  • scheistermeisterscheistermeister Posts: 748Member
    LOkrasa wrote:
    dtlokee wrote:
    Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.

    But he said IDS... Can't get IDS on a Router using just the IOS, correct? I thought the only way to get IDS on a router was via the NM-CIDS... I know that IOS supports the IPS feature but as you mentioned its designed for inline.

    IDS is one of the feature sets that is available for the IOS, but it is inline.
    Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
  • dtlokeedtlokee Posts: 2,381Member
    I think the confusion in naming goes back to the times where Cisco were had "IDS", then when they came out with inline mode for the hardware appliance they called it "IPS". The router IPS/IDS functionality is going to be inline. If you look at the feature navigator for 12.4 it still lists both "IDS" and "IPS" as features.
    The only easy day was yesterday!
  • AhriakinAhriakin SupremeNetworkOverlord Posts: 1,800Member ■■■■■■■■□□
    Regardless of the IOS features (Whether it includes the IOS IDS/IPS or not) I don't think you can make a router's interface promiscuous, you can only monitor/affect traffic that is routed through it and not accept all forwarded frames as you can with a dedicated device.

    Edit: Long shot and DT would likely know a lot more about this, but what would happen if you put the router on a SPAN port and set up Proxy-Arp for just about every subnet in existence, then routed them internally to Null0?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.