I recently installed a 4210 sensor behind our PIX 515 Firewall and it seems to be talking to the CSPM perfectly. I am a real security beginner so I had a difficult time deciding whether to install in front of or behind the firewall. We have a simple network and there are no public servers on the inside of the firewall (not connected to this network anyways.) What are the determining factors most use to decide where to place the sensor? The IDS book points out the differences really well but with it behind the firewall it seems like it is just proving to us the firewall is working and I might miss something such as an attempt at a DOS.
Personally I recommend starting with the sensor behind the Firewall.
This way you can find out what kind of attacks are making it through your Firewall.
Many users find that the attacks getting through the Firewall take up most of their time, and don't have to time to spend on attacks already being blocked by the Firewall.
If you've monitored inside your Firewall, and determined that very little is getting past, then it can be worthwhile to move the sensor to outside your Firewall. This way you will see the scans, dos attacks etc.. that already being blocked by your Firewall.
BUT I only recommend doing this if you have the time to sort through the extra alarms that will now be firing. If you start getting too many alarms, consider moving it back behind the Firewall.
In your case though, I am guessing that you may wind up leaving the sensor monitoring outside the Firewall.
Several of our advanced users have begun placing IDS Sensor both inside and outside the Firewall. They mostly monitor the inside sensor. When an attack ocurrs they compare the inside sensor logs with the outside sensor logs to see what other type of activity the user may have been doing that was blocked by the Firewall.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...