Do y'all know about Cisco's SAFE design? It's a "blueprint" for implementing security on enterprise networks, sort of a template for a typical enterprise network (if there is such a thing as typical). It would probably give you ideas on where Cisco would put the IDS.
It was developed by Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884). I know Bernie does good work. If this Sean is related to Sean Connery, I'll take his work anytime too. ;-) Anyway, there's a good white paper here: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm Priscilla At 06:13 PM 4/7/02, Steven A. Ridder wrote: >I've always understood that anything in the core (access-lists, FW blades, >IDS modules, etc. ) is a bad design as it just slows down traffic as the >core is built for speed. I was always told to move everything to the distro >or access-layer, depending on the function, AFAIK, the IDS blades have to >look at all traffic, which could slow down core, and this core is for a >global bank on Wall St. If it's not done right now, when they expand later >this year, the network will suck. > >-- > >RFC 1149 Compliant. >Get in my head: >http://sar.dynu.com > > >""Kent Hundley"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > It's not a bad idea to have an IDS blade in the core, but if you have to > > pick either the DMZ and server blocks or the core, I would choose the > > former. Having an IDS blade in the core should not affect any other > > processing of the switch since its a completely self contained module with > > its own processor. (course, murphy is always lurking) > > > > It's also a good idea to have redundant sup's, but cost may be a factor as > > well. One can only have as much redundancy as your pocket book allows, >and > > sup's aren't cheap. :-) > > > > Regards, > > Kent > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Steven A. Ridder > > Sent: Thursday, April 04, 2002 2:20 PM > > To: [EMAIL PROTECTED] > > Subject: Core layer question [7:40535] > > > > > > Has anyone ever designed a network and put either a firewall or IDS blade >in > > the core switch block? Even if the customer had no money, wouldn't this > > never be advisable? Has anyone ever done it? > > > > As background for the questions, I started a new job, and so I took over > > some accounts, and who ever has been doing the configs ( I think some have > > been comming from Cisco!) has been making mistakes here and there. One > > proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and >this > > one has a wan block going back to the core block (dual 6506's) with only 1 > > sup in each and an IDS blade in each! Isn't it advisable to move the >IDS's > > to the server and DMZ blocks? Also, isn't it always advisable to go with >2 > > sups? > > > > I just want to make sure I'm not crazy, as I'd not like to casue a ton of > > waves my first week on the job. > > > > -- > > > > RFC 1149 Compliant. > > Get in my head: > > http://sar.dynu.com ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40780&t=40535 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
