Hey guys/gals, i have a question concerning a new IDS rollout.
I have a client that is looking to deploy IDS's in 2 locations right now (to be expanded in the future to many others).
Here is the scenario thus far.
The client is has 4 T1's coming into the main office (the T1's are half and half between providers, 2 and 2).
At the satellite office they have 1 T1 coming in.
There proposed topology is going to be: 1 IDS in front of every provider (totaling 3 IDS's on the outside), and 1 on every LAN (2 on the inside). Total of 5 right now.
All hosts that are in the DMZ are going to be deployed with HIDS from Cisco.
Question is. #1 is this a good scenario? I know there is not much to work on but is it solid? I guess the only real nagging question in my mind right now, is can they use 1 4210 at the main office and span all the T1's? Or is it a better solution to go with separate 4120's at each incoming connection?
Another question. What would be the best management solution for a topology like this? Seems that VMS would be the logical solution, but the Cisco IDS event view pulls in a max of 5 on one server, so that may accommodate them day 1.
What about the host based on the servers? Does Cisco have something that pulls all the HIDS, and NIDS into one location then parses them out, sends alerts etc. without using VMS?