Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS Design

I am wondering about IDS placement. Currently our design is perimter router, firewall, and then interior router which connects all internal networks. A snesor is placed between the FW and the interior router. All traffic that is allowed through the FW is subject to inspection by the IDS. I have an oppurtunity to place another sensor between the FW and the exterior router, however I need a solid justification for this. Does anyone konw of any documentation, preferably from Cisco, that could justify a sensor in front of and behind the FW. Thank you

Kevin Reynolds

New Member

Re: IDS Design

We've had similar conversations. The external sensor can give you a good idea if someone feeling out your network, aka reconnaissance. It's particularly helpful when you have multiple points of presence on the Internet. However, with out some automated means to do the forensic foot work, the level of traffic you'll see tends to look like noise. When you are correlating the events from numerous devices using something like Netforensics or Intelletactics Security Manager, it makes it more usefull.

Hope that helps.


New Member

Re: IDS Design

There are several good reasons to have an sensor placed outside of the firewall (in fact it is preferable to have it outside the firewall if you can afford to spend some time tuning it). If you are interested I wrote an article over a year ago in which I reffered IDS to placement techniques and had a little equation called "Degree Of Attack Accuracy" which tried to quanify how effective certain senosr management techniques are. The article is a little old but could be interesting . Personally IMHO if you can afford to spend time tuning having one on the outside is the way to go. You catch attacks and probes sooner which allows the attacker to be positively identified and removed from the network sooner. Having one inside the firewall makes correlation and threat determination easier.