Router as OOB IDS
hypnotoad
Banned Posts: 915
Hey Guys,
Is it possible to use a router as an OOB IDS coming off a SPAN port? I have the SPAN port ok but not sure what to do next.
Thanks,
HT
Is it possible to use a router as an OOB IDS coming off a SPAN port? I have the SPAN port ok but not sure what to do next.
Thanks,
HT
Comments
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.The only easy day was yesterday!
-
LOkrasa Member Posts: 343 ■■■□□□□□□□dtlokee wrote:Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.
But he said IDS... Can't get IDS on a Router using just the IOS, correct? I thought the only way to get IDS on a router was via the NM-CIDS... I know that IOS supports the IPS feature but as you mentioned its designed for inline. -
scheistermeister Member Posts: 748 ■□□□□□□□□□LOkrasa wrote:dtlokee wrote:Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.
But he said IDS... Can't get IDS on a Router using just the IOS, correct? I thought the only way to get IDS on a router was via the NM-CIDS... I know that IOS supports the IPS feature but as you mentioned its designed for inline.
IDS is one of the feature sets that is available for the IOS, but it is inline.Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life. -
dtlokee Member Posts: 2,378 ■■■■□□□□□□I think the confusion in naming goes back to the times where Cisco were had "IDS", then when they came out with inline mode for the hardware appliance they called it "IPS". The router IPS/IDS functionality is going to be inline. If you look at the feature navigator for 12.4 it still lists both "IDS" and "IPS" as features.The only easy day was yesterday!
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Regardless of the IOS features (Whether it includes the IOS IDS/IPS or not) I don't think you can make a router's interface promiscuous, you can only monitor/affect traffic that is routed through it and not accept all forwarded frames as you can with a dedicated device.
Edit: Long shot and DT would likely know a lot more about this, but what would happen if you put the router on a SPAN port and set up Proxy-Arp for just about every subnet in existence, then routed them internally to Null0?We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?