Cisco IDS (4235) question

Posted on 2003-03-07
Medium Priority
Last Modified: 2013-11-16
Hey guys,

I am considering getting a Cisco IDS sensor appliance for my network. Which consists of a DMZ:

Cisco 2620 Router
Cisco 515E PIX Firwall (3fe + VAC) -> LAN
Cisco Catalyst Switch
Linux Box
(x2) DNS servers
Bank of Cobalt server

However i have the opportunity to buy a Cisco IDS 4235 sensor. But am unsure where to put it on the network, Ideally it needs to go on the WANside of the firewall. With the Monitoring interface connected before the firewall. And the control connected to the director or the LAN.

Should i set it up like this:


(the grey is the proposal) and black is the existing network.

With the router going into the switch, will the IDS still detect intrusion. I only ask as ive never looked into IDS before.

Also, can someone clarify what it means when something is behind and infront of the firewall. Which side is which? :D

Question by:aphix
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 100 total points
ID: 8088051
Your placement looks feasible, but you will get lots of 'false positive' alerts putting the sensor "outside" the firewall.
In front of = on public side
behind = local LAN

Ideally, you would have two sensors, one on the DMZ and one on the Inside. The concept is to find out who got in, not who's knocking on the door. Every flaming hacker and script kiddie on the planet will be knocking. All I would be interested in is who got through my defenses.

Also, be aware that you're going to have to dedicate a system to be the control system and receive/control response to alerts.

Author Comment

ID: 8088161

At £9000 each for the sensor, i dont think i will be buying two at the moment :D

So i should put the IDS sensor behind the Firewall, in the LAN.

Although im not completley sure about this. Could i put agents in the DMZ? Just so i know whats going on in there.

LVL 79

Expert Comment

ID: 8088291
I would be tempted to put it into the DMZ since you really want to monitor access to your publicly accessible servers (money makers) more than your internal lan.

There are Host based IDS clients that you could install on each server, but now your talking a whole new ballgame in the management of it all..

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question