Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Selecting IDS

Hi All,

We want to implement the network based IDS in our organization

Here is brief overview of our Network

4 Core Switches Gigabit ethernet

3 subnets

servers on Gigabit ethernet

Clients on fast ethernet.

Can anybody tell me what ids is best for us.

also if we have to add 4FE ports?? or single ethernet port is suitable for us.

any suggestions will be welcome


Re: Selecting IDS

There is a product from Cisco called "Cisco Secure Intrusion Detection System". You can use that.

Cisco Employee

Re: Selecting IDS

Things to consider:

1) What traffic do you want to monitor?

Some users want to monitor just the traffic going in and out of their firewalls. Some want to monitor traffic going in and out of their data centers. Others want to monitor ALL internal traffic. Determine what traffic will help you to determine where you need to place your IDS.

2) Now that you've determine what to monitor the next question is what is the traffic rate in Mbps of that traffic? This will determine what sensor model you will need because each sensor model has a different performance rating. Simply saying that you have Gigabit ethernet connections is not enough because these may only be sending 5 Mbps or could be sending close to 2 Gbps. Or your internal traffic may be 1 Gbps but you may only want to monitor your firewall traffic that may only be 100Mbps.

The IDS-4250-XL for example can monitor up to 1 Gbps of traffic, but it can be expensive. If your traffic rates are low enough then you may be able to get away with the less expensive IDS-4235 that can monitor

3) Now consider how the traffic flow through your environement?

Is traffic load balanced across switches in which case you need to find out how the load balancing works. The sensor needs to see both the client packets and the server packets for the same connection to properly monitor that connection. If the load balancer will place both server and client packets on the same switch then you can have one IDS monitor one switch, and another IDS montior another switch. This would mean 2 IDS sensors each with just a single interface, or a 1 IDS sensor with 2 interfaces.

BUT if client traffic goes across one switch, and server traffic on another then one IDS may need to monitor BOTH switches. This would mean 1 IDS with 2 or more interfaces.

Are there 2 switches configured to be fail over/redundant rather than load balanced. Then one sensor may be able to watch both switches because only one will be active at a time. This would mean 1 IDS sensor with at least 2 interfaces.

Sensors that can receive traffic from more than one switch require more than one sensing interface. Here are the available options:

IDS-4215 with the 4FE card - provides 5 10/100 TX interfaces - aggregate performance is 80 Mbps

IDS-4235 with the 4FE card - provides 4 10/100 TX interfaces and 1 10/100/1000 TX interface - aggregate performance is 250 Mbps

IDS-4250-TX with the 4 FE card - provides 4 10/100 TX interfaces and 1 10/100/1000 TX interface - aggregate performance is 500 Mbps

IDS-4250-SX - provides 1 10/100/1000 TX interfaces and 1 1000 SX interface - aggregate performance is 500 Mbps

IDS-4250-XL - provides 2 1000 SX interfaces - aggregate performance is 1 Gbps

NOTE: Aggregate performance is how many Mbps that the sensor can handle based on it's cpu and memmory regardless of the number of NICs being monitored. For example with the IDS-4235 with the 4FE card, you could monitor 250 Mbps with one port, or 50 Mbps on each of 5 ports, or 100 on 2 ports and 50 Mbps on a 3rd.

CreatePlease to create content