cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
20
Helpful
3
Replies

IDS Solution?

richard_tufaro
Level 1
Level 1

Hey guys/gals, i have a question concerning a new IDS rollout.

I have a client that is looking to deploy IDS's in 2 locations right now (to be expanded in the future to many others).

Here is the scenario thus far.

The client is has 4 T1's coming into the main office (the T1's are half and half between providers, 2 and 2).

At the satellite office they have 1 T1 coming in.

There proposed topology is going to be: 1 IDS in front of every provider (totaling 3 IDS's on the outside), and 1 on every LAN (2 on the inside). Total of 5 right now.

All hosts that are in the DMZ are going to be deployed with HIDS from Cisco.

Question is. #1 is this a good scenario? I know there is not much to work on but is it solid? I guess the only real nagging question in my mind right now, is can they use 1 4210 at the main office and span all the T1's? Or is it a better solution to go with separate 4120's at each incoming connection?

Another question. What would be the best management solution for a topology like this? Seems that VMS would be the logical solution, but the Cisco IDS event view pulls in a max of 5 on one server, so that may accommodate them day 1.

What about the host based on the servers? Does Cisco have something that pulls all the HIDS, and NIDS into one location then parses them out, sends alerts etc. without using VMS?

3 Replies 3

wdrootz
Level 4
Level 4

The whole thing revolves around what kind of traffic he's expecting on all 3 T1's put together, I would go with one 4235 for the entire setup instead of 1 4210.

Hope the 4120 you have mentioned is a typo error, I could not find any such model.

Well you should know that currently Cisco does not have a single management solution till they took over OKENA, so VMS is the best bet as Cisco has announced plans to integrate OKENA in VMS. You can also take a look at this

http://www.cisco.com/en/US/products/sw/secursw/ps976/prod_eol_notice09186a008014dda0.html

ttorgerson
Level 1
Level 1

management for the cisco ids is the worst i have ever seen... everytime i get familiar with something they offer,... yank...! they yank it from the shelf... such as with HIDS... or maybe the current 6500 ids modules, which are now being replaced by new modules which i believe sale for right around $30k per module, which is way over blown... their saling point is that it is now manageable with the vms, etc. etc... yeah... well, in order to run vms, you have to install ciscoworks which is in itself a pain... plus the licensing is a pain...

all in all... ciscos ids solution is not at all impressive given the cost and manaageability... and the 4200 appliances do not scale all that well from my experience...

PS: go out and buy a good powerful server with multiple nics.. and install bsd and snort... not only will it be easy to configure, but the signatures are easy to build on your own, public signatures are updated very frequently (much more frequently than the cisco ids sigs), and it will cost you no more than $5k -$7k... plus, you can throw an extra nic into the box everytime you want to add an additional segment to be monitored... (1 box to do the job of several at far less the cost)...

rzcisco
Level 1
Level 1

the most logical decision depents on your policy ,

u should note that IDS is nothing but a computer system which throughput

relys on hardware capabelities .

if u have heavy incomming input from outside you should note load balancing ,

let say whats the best solution in your case ?!

3 IDS on the outside is sufficient ,one per lan is enough but 2 IDS for inside don't work much ,try to use IDS between attack-prone segments .

for management u better have a powerful server running a CSPM and deploy a stable linux client to get all forwarded packets from CSPM server as a backup .

don't forget to use sensor triggers towards firewall ACLs .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: