Hey guys/gals, i have a question concerning a new IDS rollout.
I have a client that is looking to deploy IDS's in 2 locations right now (to be expanded in the future to many others).
Here is the scenario thus far.
The client is has 4 T1's coming into the main office (the T1's are half and half between providers, 2 and 2).
At the satellite office they have 1 T1 coming in.
There proposed topology is going to be: 1 IDS in front of every provider (totaling 3 IDS's on the outside), and 1 on every LAN (2 on the inside). Total of 5 right now.
All hosts that are in the DMZ are going to be deployed with HIDS from Cisco.
Question is. #1 is this a good scenario? I know there is not much to work on but is it solid? I guess the only real nagging question in my mind right now, is can they use 1 4210 at the main office and span all the T1's? Or is it a better solution to go with separate 4120's at each incoming connection?
Another question. What would be the best management solution for a topology like this? Seems that VMS would be the logical solution, but the Cisco IDS event view pulls in a max of 5 on one server, so that may accommodate them day 1.
What about the host based on the servers? Does Cisco have something that pulls all the HIDS, and NIDS into one location then parses them out, sends alerts etc. without using VMS?
The whole thing revolves around what kind of traffic he's expecting on all 3 T1's put together, I would go with one 4235 for the entire setup instead of 1 4210.
Hope the 4120 you have mentioned is a typo error, I could not find any such model.
Well you should know that currently Cisco does not have a single management solution till they took over OKENA, so VMS is the best bet as Cisco has announced plans to integrate OKENA in VMS. You can also take a look at this
management for the cisco ids is the worst i have ever seen... everytime i get familiar with something they offer,... yank...! they yank it from the shelf... such as with HIDS... or maybe the current 6500 ids modules, which are now being replaced by new modules which i believe sale for right around $30k per module, which is way over blown... their saling point is that it is now manageable with the vms, etc. etc... yeah... well, in order to run vms, you have to install ciscoworks which is in itself a pain... plus the licensing is a pain...
all in all... ciscos ids solution is not at all impressive given the cost and manaageability... and the 4200 appliances do not scale all that well from my experience...
PS: go out and buy a good powerful server with multiple nics.. and install bsd and snort... not only will it be easy to configure, but the signatures are easy to build on your own, public signatures are updated very frequently (much more frequently than the cisco ids sigs), and it will cost you no more than $5k -$7k... plus, you can throw an extra nic into the box everytime you want to add an additional segment to be monitored... (1 box to do the job of several at far less the cost)...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :