Router as OOB IDS

Hey Guys,

Is it possible to use a router as an OOB IDS coming off a SPAN port? I have the SPAN port ok but not sure what to do next.

Thanks,
HT

Find more posts tagged with

Comments

LOkrasa

hypnotoad wrote:

Hey Guys,

Is it possible to use a router as an OOB IDS coming off a SPAN port? I have the SPAN port ok but not sure what to do next.

Thanks,
HT

I am assuming that you are using a Router with a NM-CIDS inside... ?

hypnotoad

Nope, plain old 128/32 2610XM. Am I out of luck? I think I am.

dtlokee

Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.

LOkrasa

dtlokee wrote:

Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.

But he said IDS... Can't get IDS on a Router using just the IOS, correct? I thought the only way to get IDS on a router was via the NM-CIDS... I know that IOS supports the IPS feature but as you mentioned its designed for inline.

scheistermeister

LOkrasa wrote:

dtlokee wrote:

Well since the IOS IPS is designed for inline operation that is not the typical deployment and may be able to detect an attack when deployed like that but won't have the ability to react to it.

But he said IDS... Can't get IDS on a Router using just the IOS, correct? I thought the only way to get IDS on a router was via the NM-CIDS... I know that IOS supports the IPS feature but as you mentioned its designed for inline.

IDS is one of the feature sets that is available for the IOS, but it is inline.

dtlokee

I think the confusion in naming goes back to the times where Cisco were had "IDS", then when they came out with inline mode for the hardware appliance they called it "IPS". The router IPS/IDS functionality is going to be inline. If you look at the feature navigator for 12.4 it still lists both "IDS" and "IPS" as features.

Ahriakin

Regardless of the IOS features (Whether it includes the IOS IDS/IPS or not) I don't think you can make a router's interface promiscuous, you can only monitor/affect traffic that is routed through it and not accept all forwarded frames as you can with a dedicated device.

Edit: Long shot and DT would likely know a lot more about this, but what would happen if you put the router on a SPAN port and set up Proxy-Arp for just about every subnet in existence, then routed them internally to Null0?