I'm deploying a MARS50. We have a WAN aggregation router followed by a team of PIX535s then a Campus Aggregation Router. Both routers are 6500s with IDSM-2's.
I know the MARS50 is underpowered for our deployment so we're trying to get the most bang for the buck. I'm getting Syslogs from the PIX & routers and currently NetFlow from the Inside router. I'm thinking of moving the NetFlow to the outside router as I've read we should get better sessionization with the denies from the PIX. Enabling the IDSMs is for later in the process. Any comments or suggestions on whether the NetFlow data is better obtained before or after our border firewall?
I see. Well, I personally still don't see a lot of value in collecting netflow out in front of your firewall. You've got all the denies in the Pix...so the numbers are still there for making up numbers about ROI;-)
The campus router has more value IMHO because you'd see internal<-->internal traffic which you otherwise might not have any insight into.