Cisco IDS, PIX, VPN Concentrator
I have been asked by mu company to rebuild the security system as best practice, I am looking to find out where is the best place for VPN for instance ,behind a firewall or in front of a firewall ?
And same things with IDS
Regards
»
- Add new comment
- 3293 reads
Cisco IDS, PIX, VPN Concentrator
I have to add some thing else which I forgot to mention that Radius Server on my local network , and Cisce security Agent on my local network as well
Re:Cisco IDS, PIX, VPN Concentrator
Hi,
So far as the VPN Concentrator goes, VPN traffic is very secure( so far as you select an encryption like 3DES or AES).I would say that it would be more safe to place it outside the firewall, so that the traffic can get decrypted and the decrypted traffic can be allowed through the firewall.But again opinions can be different.
The RADIUS server has to be given the highest security. So I would place it in the zone that has highest security.
As for IDS, there are different implementations of IDS. There are 2 types of IDS - Network and Host. Network is something that you plug into the network while Host (HIDS) is something that is installed on the servers.For HIDS you can decide which servers are most crucial.
As for Network IDS (NIDS), you can decide on the number of NIDS available. I would say that you should place one on the internal network so that you can catch any suspicious network, one on DMZ and maybe one just after the firewall in the network. Some companies place any additional NIDS just outside the firewall, to analyze any attacks intended for their network. This does generate lot of packet load on the IDS device. If you have a limitation on the number of IDS devices, I would say that dont worry about placing a NIDS outside the firewall. The firewall drops pretty much all unwanted traffic (as defined by you) so you can be more worried about what happens inside.
NOTE TO USERS: SECFolks, if you have any other suggestions, please post it here if you have the time.
I am grateful to this
Sorry for the delay to respond to your comment, cause I have not received an email notification, I do not why , may be there is no such an option.
I am grateful to this insight, and pointed answers.
Regards
zillah
In the link below I have got
In the link below I have got the diagram for the scenario that I have got.
http://img300.imageshack.us/img300/500/diagram1sw3.jpg
My recommendation (before I read your reply) for the security enhancement was :
1- Intrusion Detection System (IDS) if it is Code V4 to be upgraded to Intrusion Prevention System (IPS) Code 5,Because with IPS the attacks are not only detected, but can be stopped as well.
2- Telnet to PIX should be repalced by SSH
3- Two VPN instead of one for redundancy, cause in case of VPN failure, we do not have secure channel, for remote user, but this is depend on how critical a business is and budget as well.
4-IDS has got one interface for monitoring and one interface for management We can add another physical interface for monitoring VPN to detect potential attackers (according to your opinion, this is not necessary).
5- Upgrade PIX to code 7 , since New version has got many new features, include IM/P2P blocking, IPv6 Networking, QoS Services, Time-Based ACLs, Layer 2 Transparent Firewall.
6- Do you have any other suggestions or comment ?
7- Do you prefer to use more that one NIDSs? or one IDS with more that one interfaces do the same job ? which one is more better if budget is not an issue ?
Regards
Re:
Your proposal Looks good Zillah. FYI, Pix is capable of VPN Funtionality. So incase your concentrator goes down, you can always use the PIX Firewall. I would say that it would be best if you can also place a NIDS on your server farm. And if budget allows, also place one on the inside network. This would help in case of a virus or worm outbreak.
Regards.
[cut]
[cut]
FYI, Pix is capable of VPN Funtionality. So incase your concentrator goes down, you can always use the PIX Firewall.
[/cut]
Thanks for that.
[cut]
I would say that it would be best if you can also place a NIDS on your server farm. And if budget allows, also place one on the inside network. This would help in case of a virus or worm outbreak.
[/cut]
Since I have got Cisco Security Agent existing, Can't I use it (CSA) as HIDS instaed of NIDS ?
Regards