Re: Core layer question [7:40535]
I had classes at Cisco on SAFE (EXCELLENT STUFF IF ANYONE GET'S TO GO!!) , and the Cisco rep said the same thing - never put anything in core. If you look at the SAFE blueprint for Enterprises, the IDS aren't in the core either (I checked last week). Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Do y'all know about Cisco's SAFE design? It's a blueprint for implementing security on enterprise networks, sort of a template for a typical enterprise network (if there is such a thing as typical). It would probably give you ideas on where Cisco would put the IDS. It was developed by Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884). I know Bernie does good work. If this Sean is related to Sean Connery, I'll take his work anytime too. ;-) Anyway, there's a good white paper here: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm Priscilla At 06:13 PM 4/7/02, Steven A. Ridder wrote: I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's not a bad idea to have an IDS blade in the core, but if you have to pick either the DMZ and server blocks or the core, I would choose the former. Having an IDS blade in the core should not affect any other processing of the switch since its a completely self contained module with its own processor. (course, murphy is always lurking) It's also a good idea to have redundant sup's, but cost may be a factor as well. One can only have as much redundancy as your pocket book allows, and sup's aren't cheap. :-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40802t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Core layer question [7:40535]
Looking at the traffic should not slow anything down. The IDS blade has its own processor and is a completely separate device from the sup. If anything, the IDS blade may not be able to keep up with the traffic and you may miss some traffic for inspection, ie. the IDS blade might not catch all attacks. This has nothing to do with the sup's or MSFC's ability to move packets. Access-lists are different in that they are actively inserted in the data path. An IDS is essentially a glorified sniffer. No sniffer, or IDS for that matter, that I have worked with has ever had any effect on traffic flows. It is a watcher only and does not influence the traffic flow. Does that mean that it is impossible that an IDS blade would affect traffic? No it doesn't, but it does mean that it would be a very significant bug and absolutely should not happen. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Sunday, April 07, 2002 3:14 PM To: [EMAIL PROTECTED] Subject: Re: Core layer question [7:40535] I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's not a bad idea to have an IDS blade in the core, but if you have to pick either the DMZ and server blocks or the core, I would choose the former. Having an IDS blade in the core should not affect any other processing of the switch since its a completely self contained module with its own processor. (course, murphy is always lurking) It's also a good idea to have redundant sup's, but cost may be a factor as well. One can only have as much redundancy as your pocket book allows, and sup's aren't cheap. :-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40812t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Core layer question [7:40535]
It's not a bad idea to have an IDS blade in the core, but if you have to pick either the DMZ and server blocks or the core, I would choose the former. Having an IDS blade in the core should not affect any other processing of the switch since its a completely self contained module with its own processor. (course, murphy is always lurking) It's also a good idea to have redundant sup's, but cost may be a factor as well. One can only have as much redundancy as your pocket book allows, and sup's aren't cheap. :-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40765t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Core layer question [7:40535]
I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's not a bad idea to have an IDS blade in the core, but if you have to pick either the DMZ and server blocks or the core, I would choose the former. Having an IDS blade in the core should not affect any other processing of the switch since its a completely self contained module with its own processor. (course, murphy is always lurking) It's also a good idea to have redundant sup's, but cost may be a factor as well. One can only have as much redundancy as your pocket book allows, and sup's aren't cheap. :-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40771t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Core layer question [7:40535]
Do y'all know about Cisco's SAFE design? It's a blueprint for implementing security on enterprise networks, sort of a template for a typical enterprise network (if there is such a thing as typical). It would probably give you ideas on where Cisco would put the IDS. It was developed by Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884). I know Bernie does good work. If this Sean is related to Sean Connery, I'll take his work anytime too. ;-) Anyway, there's a good white paper here: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm Priscilla At 06:13 PM 4/7/02, Steven A. Ridder wrote: I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's not a bad idea to have an IDS blade in the core, but if you have to pick either the DMZ and server blocks or the core, I would choose the former. Having an IDS blade in the core should not affect any other processing of the switch since its a completely self contained module with its own processor. (course, murphy is always lurking) It's also a good idea to have redundant sup's, but cost may be a factor as well. One can only have as much redundancy as your pocket book allows, and sup's aren't cheap. :-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40780t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Core layer question [7:40535]
Yes you are correct. I have a customer though, a big hospital where there is no such thing as downtime. They have dual 6509's with dual sups and MSFC's simply beacause some servers have only a single connection. The sales guy was happy!! Dave Larry Letterman wrote: If you have redundant 6509 chassis with a sup in each, a 2nd sup in each one is not necessary. Its nice to have, but an added expense. Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications Inc. 612-664-3367 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40662t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Core layer question [7:40535]
If you have redundant 6509 chassis with a sup in each, a 2nd sup in each one is not necessary. Its nice to have, but an added expense. Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40539t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Core layer question [7:40535]
Good point. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Larry Letterman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... If you have redundant 6509 chassis with a sup in each, a 2nd sup in each one is not necessary. Its nice to have, but an added expense. Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40542t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Core layer question [7:40535]
I am a long ways from being up to speed on ids, but I would think that the server block is where you would need the ids blades. Your most suspect traffic is what is comming off the internet and going to your users. If you put the ids in the server block and dmz you will never see most of that traffic. From: Larry Letterman Reply-To: Larry Letterman To: [EMAIL PROTECTED] Subject: RE: Core layer question [7:40535] Date: Thu, 4 Apr 2002 17:53:02 -0500 If you have redundant 6509 chassis with a sup in each, a 2nd sup in each one is not necessary. Its nice to have, but an added expense. Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40544t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
