Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IDS Solution?

Unanswered Question
Mar 23rd, 2003
User Badges:

Hey guys/gals, i have a question concerning a new IDS rollout.

I have a client that is looking to deploy IDS's in 2 locations right now (to be expanded in the future to many others).

Here is the scenario thus far.

The client is has 4 T1's coming into the main office (the T1's are half and half between providers, 2 and 2).

At the satellite office they have 1 T1 coming in.

There proposed topology is going to be: 1 IDS in front of every provider (totaling 3 IDS's on the outside), and 1 on every LAN (2 on the inside). Total of 5 right now.

All hosts that are in the DMZ are going to be deployed with HIDS from Cisco.

Question is. #1 is this a good scenario? I know there is not much to work on but is it solid? I guess the only real nagging question in my mind right now, is can they use 1 4210 at the main office and span all the T1's? Or is it a better solution to go with separate 4120's at each incoming connection?

Another question. What would be the best management solution for a topology like this? Seems that VMS would be the logical solution, but the Cisco IDS event view pulls in a max of 5 on one server, so that may accommodate them day 1.

What about the host based on the servers? Does Cisco have something that pulls all the HIDS, and NIDS into one location then parses them out, sends alerts etc. without using VMS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (5 ratings)
wdrootz Fri, 03/28/2003 - 10:42
User Badges:
  • Bronze, 100 points or more

The whole thing revolves around what kind of traffic he's expecting on all 3 T1's put together, I would go with one 4235 for the entire setup instead of 1 4210.

Hope the 4120 you have mentioned is a typo error, I could not find any such model.

Well you should know that currently Cisco does not have a single management solution till they took over OKENA, so VMS is the best bet as Cisco has announced plans to integrate OKENA in VMS. You can also take a look at this


ttorgerson Tue, 04/01/2003 - 13:01
User Badges:

management for the cisco ids is the worst i have ever seen... everytime i get familiar with something they offer,... yank...! they yank it from the shelf... such as with HIDS... or maybe the current 6500 ids modules, which are now being replaced by new modules which i believe sale for right around $30k per module, which is way over blown... their saling point is that it is now manageable with the vms, etc. etc... yeah... well, in order to run vms, you have to install ciscoworks which is in itself a pain... plus the licensing is a pain...

all in all... ciscos ids solution is not at all impressive given the cost and manaageability... and the 4200 appliances do not scale all that well from my experience...

PS: go out and buy a good powerful server with multiple nics.. and install bsd and snort... not only will it be easy to configure, but the signatures are easy to build on your own, public signatures are updated very frequently (much more frequently than the cisco ids sigs), and it will cost you no more than $5k -$7k... plus, you can throw an extra nic into the box everytime you want to add an additional segment to be monitored... (1 box to do the job of several at far less the cost)...

rzcisco Tue, 04/08/2003 - 02:26
User Badges:

the most logical decision depents on your policy ,

u should note that IDS is nothing but a computer system which throughput

relys on hardware capabelities .

if u have heavy incomming input from outside you should note load balancing ,

let say whats the best solution in your case ?!

3 IDS on the outside is sufficient ,one per lan is enough but 2 IDS for inside don't work much ,try to use IDS between attack-prone segments .

for management u better have a powerful server running a CSPM and deploy a stable linux client to get all forwarded packets from CSPM server as a backup .

don't forget to use sensor triggers towards firewall ACLs .


This Discussion