Cisco Support Community
Community Member

IDS Rookie Question

I recently installed a 4210 sensor behind our PIX 515 Firewall and it seems to be talking to the CSPM perfectly. I am a real security beginner so I had a difficult time deciding whether to install in front of or behind the firewall. We have a simple network and there are no public servers on the inside of the firewall (not connected to this network anyways.) What are the determining factors most use to decide where to place the sensor? The IDS book points out the differences really well but with it behind the firewall it seems like it is just proving to us the firewall is working and I might miss something such as an attempt at a DOS.

Cisco Employee

Re: IDS Rookie Question

Personally I recommend starting with the sensor behind the Firewall.

This way you can find out what kind of attacks are making it through your Firewall.

Many users find that the attacks getting through the Firewall take up most of their time, and don't have to time to spend on attacks already being blocked by the Firewall.

If you've monitored inside your Firewall, and determined that very little is getting past, then it can be worthwhile to move the sensor to outside your Firewall. This way you will see the scans, dos attacks etc.. that already being blocked by your Firewall.

BUT I only recommend doing this if you have the time to sort through the extra alarms that will now be firing. If you start getting too many alarms, consider moving it back behind the Firewall.

In your case though, I am guessing that you may wind up leaving the sensor monitoring outside the Firewall.

Several of our advanced users have begun placing IDS Sensor both inside and outside the Firewall. They mostly monitor the inside sensor. When an attack ocurrs they compare the inside sensor logs with the outside sensor logs to see what other type of activity the user may have been doing that was blocked by the Firewall.

CreatePlease to create content