ids 4200 syslog

Answered Question
May 26th, 2009
User Badges:

Customer doesn't want to use MARS. Any recommendations on decent syslog server?


thx again

Correct Answer by Farrukh Haroon about 8 years 1 month ago

I would place it behind the firewall's outside interface. But this all depends on your security policy and how your network is setup.


Another factor is your IPS device's throughput. Can it sustain the load from the internal LAN? If so you can also place it behind the PIX firewall. This will give you protectional for both internal an external threats.


I would setup the IPS in inline interface pair mode.


Have a look at this link:


http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml


Please rate if helpful.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Tue, 05/26/2009 - 06:07
User Badges:
  • Red, 2250 points or more

The IPS sensor does not support syslog. It can only send SNMP traps to remote destinations. A good tool to store IPS sensor events is Cisco IME, and its free! Have a look at:


www.cisco.com/go/ime


Regards


Farrukh

Farrukh Haroon Tue, 05/26/2009 - 11:13
User Badges:
  • Red, 2250 points or more

No problem, I'm glad you find the link useful :)


Regards


Farrukh

whanson Wed, 05/27/2009 - 13:04
User Badges:

one more question. Simple network with PIX outside and inside network. I was just looking at how these things go together. Customer wants ids mode. I assume you span ports to make it work? Also, placement better to have it on the internet side or the inside? thx again

Correct Answer
Farrukh Haroon Wed, 05/27/2009 - 23:41
User Badges:
  • Red, 2250 points or more

I would place it behind the firewall's outside interface. But this all depends on your security policy and how your network is setup.


Another factor is your IPS device's throughput. Can it sustain the load from the internal LAN? If so you can also place it behind the PIX firewall. This will give you protectional for both internal an external threats.


I would setup the IPS in inline interface pair mode.


Have a look at this link:


http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml


Please rate if helpful.


Regards


Farrukh

Actions

This Discussion