I had classes at Cisco on SAFE (EXCELLENT STUFF IF ANYONE GET'S TO GO!!) , and the Cisco rep said the same thing - never put anything in core. If you look at the SAFE blueprint for Enterprises, the IDS aren't in the core either (I checked last week).
""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Do y'all know about Cisco's SAFE design? It's a "blueprint" for > implementing security on enterprise networks, sort of a template for a > typical enterprise network (if there is such a thing as typical). It would > probably give you ideas on where Cisco would put the IDS. > > It was developed by Sean Convery (CCIE #4232) and Bernie Trudel (CCIE > #1884). I know Bernie does good work. If this Sean is related to Sean > Connery, I'll take his work anytime too. ;-) Anyway, there's a good white > paper here: > > http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm > > Priscilla > > At 06:13 PM 4/7/02, Steven A. Ridder wrote: > >I've always understood that anything in the core (access-lists, FW blades, > >IDS modules, etc. ) is a bad design as it just slows down traffic as the > >core is built for speed. I was always told to move everything to the distro > >or access-layer, depending on the function, AFAIK, the IDS blades have to > >look at all traffic, which could slow down core, and this core is for a > >global bank on Wall St. If it's not done right now, when they expand later > >this year, the network will suck. > > > >-- > > > >RFC 1149 Compliant. > >Get in my head: > >http://sar.dynu.com > > > > > >""Kent Hundley"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > It's not a bad idea to have an IDS blade in the core, but if you have to > > > pick either the DMZ and server blocks or the core, I would choose the > > > former. Having an IDS blade in the core should not affect any other > > > processing of the switch since its a completely self contained module > with > > > its own processor. (course, murphy is always lurking) > > > > > > It's also a good idea to have redundant sup's, but cost may be a factor > as > > > well. One can only have as much redundancy as your pocket book allows, > >and > > > sup's aren't cheap. :-) > > > > > > Regards, > > > Kent > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Steven A. Ridder > > > Sent: Thursday, April 04, 2002 2:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: Core layer question [7:40535] > > > > > > > > > Has anyone ever designed a network and put either a firewall or IDS blade > >in > > > the core switch block? Even if the customer had no money, wouldn't this > > > never be advisable? Has anyone ever done it? > > > > > > As background for the questions, I started a new job, and so I took over > > > some accounts, and who ever has been doing the configs ( I think some > have > > > been comming from Cisco!) has been making mistakes here and there. One > > > proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and > >this > > > one has a wan block going back to the core block (dual 6506's) with only > 1 > > > sup in each and an IDS blade in each! Isn't it advisable to move the > >IDS's > > > to the server and DMZ blocks? Also, isn't it always advisable to go with > >2 > > > sups? > > > > > > I just want to make sure I'm not crazy, as I'd not like to casue a ton of > > > waves my first week on the job. > > > > > > -- > > > > > > RFC 1149 Compliant. > > > Get in my head: > > > http://sar.dynu.com > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40802&t=40535 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]