Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco IDS (4235) question

Posted on 2003-03-07
Medium Priority
Last Modified: 2013-11-16
Hey guys,

I am considering getting a Cisco IDS sensor appliance for my network. Which consists of a DMZ:

Cisco 2620 Router
Cisco 515E PIX Firwall (3fe + VAC) -> LAN
Cisco Catalyst Switch
Linux Box
(x2) DNS servers
Bank of Cobalt server

However i have the opportunity to buy a Cisco IDS 4235 sensor. But am unsure where to put it on the network, Ideally it needs to go on the WANside of the firewall. With the Monitoring interface connected before the firewall. And the control connected to the director or the LAN.

Should i set it up like this:


(the grey is the proposal) and black is the existing network.

With the router going into the switch, will the IDS still detect intrusion. I only ask as ive never looked into IDS before.

Also, can someone clarify what it means when something is behind and infront of the firewall. Which side is which? :D

Question by:aphix
  • 2
LVL 79

Accepted Solution

lrmoore earned 100 total points
ID: 8088051
Your placement looks feasible, but you will get lots of 'false positive' alerts putting the sensor "outside" the firewall.
In front of = on public side
behind = local LAN

Ideally, you would have two sensors, one on the DMZ and one on the Inside. The concept is to find out who got in, not who's knocking on the door. Every flaming hacker and script kiddie on the planet will be knocking. All I would be interested in is who got through my defenses.

Also, be aware that you're going to have to dedicate a system to be the control system and receive/control response to alerts.

Author Comment

ID: 8088161

At £9000 each for the sensor, i dont think i will be buying two at the moment :D

So i should put the IDS sensor behind the Firewall, in the LAN.

Although im not completley sure about this. Could i put agents in the DMZ? Just so i know whats going on in there.

LVL 79

Expert Comment

ID: 8088291
I would be tempted to put it into the DMZ since you really want to monitor access to your publicly accessible servers (money makers) more than your internal lan.

There are Host based IDS clients that you could install on each server, but now your talking a whole new ballgame in the management of it all..

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question