Virtual design of IPS/IDS question.
Hello! I am having some problems with the understanding of the design of the virtual IDS/IPS.
I know how to do it with hardware IPS/IDS, when you have a physical interfaces specified to deal with traffic and another physical interface to send inspected traffic to the nucleus.
My question is how do people there with virtual firewall? I mean, how it is possible to configure a server on VMWare to receive SPAN session (in the case of IDS) or something like that.
I hope I can clarify my concern.
You can actually do both. If you just want to monitor (IDS) then you will need to dedicate a physical port on your VM server and cover traffic towards it. For more information about that visit this link:
If you want to place the inline virtual appliance, then you will need to devote two physical ports on your VM server. One of these ports will be used for the outdoor area and the other for your within the area of.
I hope this helps!
Thank you for evaluating useful messages!
Tags: Cisco Security
Similar Questions
-
Adding a physical device in a virtual design?
Hi guys,.
I have a question about how to plug a physical device into a virtual design. I am trying to connect an inline webfilter between my switch and firewall, so it can filter traffic transparently. The problem is that my firewall is virtual infrastructure vmware with multiple hosts running, so I can't just put between the two. Here is an example of my physical/virtual design:
http://i.imgur.com/4rFQj7E.jpg
I was thinking about creating a port untagged on my 666 VLAN and assign the VLAN 666 IP to another port and plug the webfilter in between, but I do not think that traffic would be actually good cable.
Someone has an idea?
Thank you.
HI -.
Yes. You need a physical connection to the bridge the VLAN, which is what will make the Barracuda. Here is an example of the view:
Assuming that it is the physical connections, the configuration side switch follows as:
int vlan 222 ip address 192.168.254.2 255.255.255.248int range gi1/0/1, gi1/0/3 desc ESXi Host switch mode trunk switch trunk allow vlan remove 222 spanning-tree portfast trunkint gi1/0/10 desc To Barracuda Inside (or self on Gi1/0/16) switch mode access switch access vlan 222 spanning-tree bpdufilter enableint gi1/0/16 desc To Barracuda Outside (or self on Gi1/0/10) switch mode access switch acc vlan 333 spanning-tree bpdufilter enable
The firewall is attached to 133 VLAN in ESX. PSC -
Hello guys.
Is there a diagram that I made, using for my self this question.
As you can see, I have a physical server with 2 NIC I don't want to use a VM (with Snort) as IPS / IDS system for inbound traffic on the management of VLANS. Is it possible to use this VM in this way (as an IPS/IDS, VM with two NIC without any routing work?)? Maybe you have a suggestion, how can I achieve this, as easy as possible? Maybe you have an opinion, what OS unix system do I use?
Thank you for your time and your answers. Any useful information is much appreciated.
Yes, it should work. You need to look out for, it's that the 'outgoing' NIC is not connected to the same physical switch as the entrant and that there is no link between these two physical switches, because this would create a loop of layer 2 on the network.
I haven't worked much with Linux, but I don't see that you would have a problem to find some Linux/Unix with the possibility to bridge two network cards and use some software IPS to inspect the traffic.
-
Hello
I am new to IPS /IDS, help with the Docs to read basic & MFIS on IPS / IDS.
Concerning
RAMU
Here are some documents on the basis of the IPS product, IE: what it does, etc.:
You want to reserve a specific configuration documentation, here, you will:
http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idmguide7.html
(Version 7.x is currently the latest version on IPS).
Hope that helps.
-
Design of left/HP4330 question
We just bought a san Lefthand/HP4330, composed of 6 knots, 3 knots, each placed in 2 separate buildings, configured in a cluster of stretched metro, so raid network will distribute data
on both sites, to all the nodes. Useful ability is to 18. We plan to create two LUNS to meet the requirement of heartbeat of storage; a small lun for the ISO and the 2nd
pulsation of storage of about 300 GB in size and other balance of space, approximately 17 + TB, as a large number of logical unit for all the virtual machines.The hosts are the esxi/vsphere 5.1
Did anyone see drawbacks to this plan?
Please ask questions if more information is needed to comment.
With a 6 cluster Lefthand node, I would consider to create multiple LUNS for a better distribution of the workload. Each LUN will have a management controller, and with only a single production LUN concentrate traffic on a node and therefore lose benefits left design. In this cluster of Mutli-Site you are considering, you will be usually 4 Directors (two from each site) and a Failover Manager (FOM), then I would say at least 4 Mon.
André
-
HI Experts,
Can you please give me an idea on what this module IDS/IPS for ASA 5505?
How much does it cost? How to install and configure to work with ASA 5505?
We have also a few site to site of ASA 5505 VPN configuration. This would affect somehow?
Thank you very much
ANUP
ANUP-
You should be able to find the links that I provided for you with a general search on Cisco's Web site for 'ssc-5' and 'installation' and 'configure '.
No, you should still ASA terminate Internet access. You want to have the SSC-5 module (IPS) to monitor the interfaces from the INSIDE, (always wanting to make IDS/IPS inside a firewall). This way you can see the traffic after it has been decrypted on your VPN, and after the traffic has been filtered to your firewall rules.
-Bob
-
Explanations of IPS/IDS signatures?
Anyone know where I can find an explanation of the individual signatures that are used in a 4215?
Thanks in advance!
Hello
All Signatures IDS/IPS can be found in the section My SDN. You can click on any of the Signature ID or release and enter the details of the information.
You can visit my SDN (required ORC) at http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x?currentPage=1&st=sd&so=d
Hope that helps,
Please rate if this can help.
Kind regards
Samuel Wilson
-
Hi all
One of the clients has secured several locations. Each location has its own Internet access. Hand and DR data centers had ASA5510. Remote users use connections IPSEC RA and Citrix (ms principal then road to internal n/w). What is the best solution... NAC or IDS/IPS for security? My guess is, with many internet, client access points may have to opt for the solution at each location. Also, is there any document that explains the differences between the NAC Vs IDS/IPS?
TIA
MS
I always place the IPS sensor inside the firewall. In this way, just to inspect the traffic that gives thanks to the firewall policy and the sensor generates alerts will be most valuable in terms of actual intrustions, that you should be aware.
If the traffic passing thought your DS3 router is encrypted in a VPN tunnel, a router based IPS will not be able to inspect traffic within the VPN.
You will need to inspect, once it has been deciphered. This could be done in the ASAs or with a sensor of the external device, like a 4240.
-Bob
-
Consolidation of Virtual Machine disk is necessary question
Today, I have one of my virtual downwards because the error message that says that "there is no more space for disk virtual xxxxx - 000018.vmdk.» you might be able to continue this session by freeing up disk space on the relevant volume by clicking on try again"
I want to know why this happened if I make my virtual with 1.5 to and my server is new... so for the most part the server have 300 GB in use... I also had 750 GB available for an another virtual and that the question, why this virtual grow too much and too quickly?
Also when this happened how can I do to solve this problem, how disk space if I did a single data store with al the available space.
The suggestions will be welcome.
Thanks for you comments.
Concerning
JP
In the files you posted, it appears that 000002 and 000007 files are not in use by the virtual machine, but the others are. What I recommend you do is to open the Snapshot Manager, create a new snapshot and then run "Delete All". This should clean all the snapshots except for the two mentioned above. If this is the case, shut down the virtual computer and move the two snapshots listed in a subfolder (to be able to restore them in case I'm wrong), then power on the virtual machine again. If there is no error, you can delete the moved files.
Unfortunately I can't see any rule, snapshots are used and that have been created just for adding hot backup not, so you should always have to understand this from scratch. At least for the moment until Acronis comes up with a fix, you need to delete snapshots manually on a daily basis since the Snapshot Manager (create a new cliché-> Delete All) to avoid any trouble with too many active snapshot on the virtual computer.
You have another virtual computer that has NOT "changed block Tracking" on, to see if the problem is related to the CBT!
André
-
design of table size question of data modeling
Hi Experts,
Sorry if I put my question in a wrong forum please suggest an appropriate forum.
need your opinion on the current design of our data warehouse of 10 years.
There is a dimension table with the structure as follows
Dimension table
--------------------
Number of dimension key (THIS IS NOT a PRIMARY KEY)
Natural key (from source) number
the source name character
current record indicator e Char (1)
date of form_date
TO_DATE date
several other columns, which, if change a new current record is created and the previous one is marked as H-historical
Data are stored in the table of size like this
Dimension_key natural key Source name current record ind from_date to to_date
1 10001 Source1: 1 January 2005 May 31, 2005
1 10001 Source1: 1 - jun - 20005 12-dec-2011
1 10001 Source1 C 13-dec-2011 NULL
2 20002 Source1: 1 - jun - 20001 12-dec-2011
2 20002 Source1 C 13-dec-2011 NULL
The problem I see in this design is that if any attribute is changed there is no surrogate key, the new record is inserted first taking the key dimension based on the (natural_key, source_name, current_record_ind).
Shouldn't it be kept as follows based on the principles of data warehousing.
Dimension_key natural key Source name current record ind from_date to to_date
1 10001 Source1: 1 January 2005 May 31, 2005
2 10001 Source1: 1 - jun - 20005 12-dec-2011
3 10001 Source1 C 13-dec-2011 NULL
4-20002 Source1: 1 - jun - 20001 12-dec-2011
5 20002 Source1 C 13-dec-2011 NULL
Please let me know the advantages and disadvantages of the current design.
Published by: Rous Sharma on December 15, 2011 20:28Correct, your second example for example by using a surrogate key is design to go with.
Flaws with the original design:
-There is a relationship one between Dimension_Key and Natural_Key, no need to keep both.
-Si Dimension_Key is the FK with a fact table, there will be a number of many relationships between fact and Dimension.
-Additional processing to search for Dimension_Key rather than simply for example use a sequence. -
Hi Experts,
1 can you please let me know why we need to set up under IP addresses for the RAC configuration and what is the role that each plays?
-Public
-Private
-Virtual
-SCAN
2. What is the relationship between IP SCAN and virtual IPs?
ConcerningHello
859875 wrote:
Hi Experts,1 can you please let me know why we need to set up under IP addresses for the RAC configuration and what is the role that each plays?
-Public
Configured before installation for each node and can be resolved at this node before installing.
Role:
Enable Virtual/SCAN configuration/communication between the nodes in the cluster. Do not start the Clusterware without public IP Interface/address.
Virtual/SCAN will work as an alias IP on the public Interface on the Public network.-Private or interconnection
Configured before installation, but on a separate private network, with its own subnet, which is not resolved except by other nodes in the cluster member
Role:
Clusterware uses for cluster synchronization (network heartbeat) interconnection and communication of demon among the nodes in the cluster.
RAC uses the interconnect for cache fusion (UDP) and inter-process communication (TCP).
Cache Fusion is the remote Oracle buffers, shared memory mapping between the caches of the members of the cluster nodes.-Virtual
Configured before installation for each node, but not currently in use. IP, VIP and treats public SCAN addresses than any other addresses on the same subnet.
Role:
The goal is the availability of the applications. If add or remove nodes as your remove VIP client config (with SCAN, it is not necessary)
When a node fails, the VIP associated with it is automatically failed over to another node.
Without using VIPs or FAN, clients connected to a node who died often wait a TCP timeout (which can be up to 10 min) before getting an error.
So, you don't have really a good HA solution without using VIPs and FAN. The best way to use the FAN is to use a client integrated with fast connection failover (FCF) such as JDBC, OCI, or ODP.NET.-SCAN
Three static IP addresses that are configured on the server (DNS) domain names prior to installation so that the three IP addresses are associated with the name provided as the SCAN, and all three addresses are returned in random order by the DNS to the applicant
Configured prior to installation in the DNS to resolve the addresses that are not currently in use. Addresses on the same subnet than all other IP addresses, addresses VIP and public SCAN
Role:
The goal is the availability of the applications before clients establish communication with CARS and make the whole of the Cluster completely transparent.
IP SCANNER is a new 'layer' (oracle) with high availability network that allows to modify the characteristics of your cluster (IE add/remove nodes) without having to change the configuration in their concept of customers 'grid '.
>2. What is the relationship between IP SCAN and virtual IPs?
IP SCANNER is used to receive new connection requests and redirects to the VIP IP.
The virtual IP address sets and allow failover of connections after connection is established.When the client requests a connection, Oracle Client 11 GR 2 find for IP addresses and create a list of all IP SCAN available for this host-scan, the first attempt to connect to RAC uses one of the available SCAN IP addresses.
The listener ANALYSIS will receive this connection and re - direct to one of the available using LOCAL_LISTENER nodes from that time the connection is made by using the virtual IP (VIP).All SCAN/VIP must be resolved by the DNS.
The customer knows that there is only the Hostname SCAN, which is configured in the connection string.
Once the connection is requested Oracle Clusterware redirects the connection to one of the VIP host name must be resolved by the DNS.Kind regards
Levi Pereira -
To be or not to be virtual memory; is this a question?
Some people claim that systems with 8 GB of RAM or more do not need more than 800 MB of virtual memory to cover failures of the system. Others claim that virtual memory is used for something else that the permutation and must therefore be kept to the suggested amount. Some people claim that virtual memory is essential to protect against leaks of memory, but that wouldn't be delaying the inevitable. I've built systems with 16 GB of RAM and only 800 MB of virtual memory and never had a problem because she.
It gives 8 or even 16 GB of RAM, virtual memory is the computer equivalent of a human appendage, that is, it used to be important a long time ago, but now it's just an object of ridicule?
P.S. If the virtual memory is important, please give specific examples.
PC
In the case of a computer crash if there is little or not the cause of the accident of virtual memory cannot be written to disk so to diagnose a computer problem is made more difficult without it.
-
Adobe Design Standard CS6 language question
I have Adobe Design Standard CS6 (Korean), but I want Siu English version. Can I change the language to Adobe Design Standard CS6 (Korean)?
Exchange https://helpx.adobe.com/x-productkb/policy-pricing/exchange-product-language-os.html
-
VMware certified Design Expert, 5 - VTC - Question Design Review
Hi team,
I just started working on preparation VCDX5-VTC. I finished VCP5/VCAP-DCA/VCAP-DCD in vSphere 5.0 and I would like to know if my VCDX5-VTC design should be based on vSphere 5.0, or it can also rely on the vSphere 5.5 infrastructure as well.
Kind regards
Chaary
I understand that a drawing of VCDX5 can be any version 5
- 5.0
- 5.1
- 5.5
I believe you can also submit a version 6 design, although you are not awarded a VCDX5.
-
Design of Network\VLAN question
I have a network completely flat and Im not a networking guy, but I have two ESX host, I need to build with a Lefthand SAN
and I want to create a VLAN for vmotion traffic segmentation. Anyone know where I could find instructions to create the VLAN?
I have 6 NETWORK adapters per ESX host and plan on using iSCSI software. I have also dedicated physical switches for my iSCSI traffic.
How you prefer to use the 6-port network card?
Awared points to answers.
Hello
You can assign a VLAN on each port group. VSphere Client, click on ESX / I have server you want to configure > click on the Configuration tab > then click on link networking in the hardware Section. Then click on the properties link in one of the vSwitch > select one port group, and then click on edit. Finally, you can assign a VLAN in the VLAN ID properties.
The best way to use the NIC ports available, I think that there depends on your preferred configuration. For example, what kind of features you need to activate, the requirement for a network for each virtual computer speed, etc. But, basically, I have the same perception with the previous suggestion. You can allocate one or two ports for specific traffic.
Maybe you are looking for
-
How can I clear the list "recently by email" preference automatically
I would like to be able to clear the list "recently by e-mail. Better yet, I wish I could stop firefox never fill in the first place.
-
Equium L40 - unable to connect via wifi or cable plugged ubs
Hello I have an Equium L40. I can not connect via wifi or cable plugged ubs.It is a "Internet Explorer has stopped working. a problem caused the blocking of the program works correctly. He said in am connected to my hub and have a signal strong. Can
-
I use the Photo App in OS X El Capitan. I can't find the instructions that explain how to change the key in faces photo online. The instructions I was able to locate show 1) go to Photos, 2) go to the faces, 3), go to a particular face, 4) find a pic
-
Hello, I am trying to get my internal speakers to work. They worked fine up until I had to repalce my hard drive. I finailly got all my drivers installed and updated on the site variouus. Now, when I check my internal speakers (no system sounds) I c
-
Error on screen blue/black (cannot start pc)
In the middle of the day that my pc everything went black without reason... by the time I could still hear people talking about other software, and they could hear me fine. I restarted my computer, but when he started upward I got was a black screen