Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best Practices

Looking for info on what people are recommending as the best Intrusion Detection system.

Any opinions?


Ernie Batten

New Member

Re: Best Practices

You should first define what is the policy you would like to enforce.

There are 3 major IDS types: Network based, Host based, Application based.

What are you looking for in an IDS?

New Member

Re: Best Practices

Looking for rudimentary building block type of solution. No system in place yet but policy is changing to encompass the issue of Intrusion Detection.

I am going to make a couple of assumptions here (correct my thinking please!):

Network based = an umbrella type of solution that can be configured to monitor all/individual networks.

Host based = monitor specific hosts.

Application based = monitor a specific application.

The situation I am in right now dictates Network based (if my assumptions are correct) with "fine tuning" to the other methods explained above.


Ernie B.

Cisco Employee

Re: Best Practices

Your assumptions are a good place to start. Defense in depth is the current industry practice, where depth is determined by your risk managment practices. A good default (IMHO) is a network-based IDS watching your overall network status, with specific hosts protected by an additional host-based solution. Application specific monitors can be tricky, but you can do some application specific mitigation such as using SSL only for web servers, SSH in place of telnet (disabling telnet in the servers) and that sort of thing. I've seen some deployments that used multiple network IDS's as well as host IDS's...redundancy and overlap.

Some network IDS specific decisions include edge monitoring only (the eggshell approach...hard shell, soft middle) or edge and internal monitoring, such as a sensor between the general busines network and lets say the Finance or Research LANs. *I* think host based is largely a matter of degree. Critical server protection vs. the anti-virus pervasive method. Alot depends on your business model and practices (and budget obviously).

One thing to not underestimate the costs of monitoring and maintaining. I have personal friends who have watched(and participated) in their company (a fortune 500) buying a "low cost" solution, only to have to scrap their plan within a year, because it didn't scale and took more people to manage than they anticipated. Also, be sure you can answer this question adequately ;) "So I have a reported what?" IDS's are not foolproof and all of them(network, host, hardware-based, software-only, etc.) need to be tuned to the environment in which they are deployed. Make sure you have someone(s) capable of understanding the difference between a false positive and an actual attack and being able to tune out the former and respond to the latter.


Scott C.