aphix
asked on
Cisco IDS (4235) question
Hey guys,
I am considering getting a Cisco IDS sensor appliance for my network. Which consists of a DMZ:
--------------------------
Cisco 2620 Router
|
Cisco 515E PIX Firwall (3fe + VAC) -> LAN
|
Cisco Catalyst Switch
Linux Box
(x2) DNS servers
Bank of Cobalt server
--------------------------
However i have the opportunity to buy a Cisco IDS 4235 sensor. But am unsure where to put it on the network, Ideally it needs to go on the WANside of the firewall. With the Monitoring interface connected before the firewall. And the control connected to the director or the LAN.
Should i set it up like this:
http://www.nuvio.co.uk/img/setup_dmz.gif
(the grey is the proposal) and black is the existing network.
With the router going into the switch, will the IDS still detect intrusion. I only ask as ive never looked into IDS before.
Also, can someone clarify what it means when something is behind and infront of the firewall. Which side is which? :D
Regards
Rob
I am considering getting a Cisco IDS sensor appliance for my network. Which consists of a DMZ:
--------------------------
Cisco 2620 Router
|
Cisco 515E PIX Firwall (3fe + VAC) -> LAN
|
Cisco Catalyst Switch
Linux Box
(x2) DNS servers
Bank of Cobalt server
--------------------------
However i have the opportunity to buy a Cisco IDS 4235 sensor. But am unsure where to put it on the network, Ideally it needs to go on the WANside of the firewall. With the Monitoring interface connected before the firewall. And the control connected to the director or the LAN.
Should i set it up like this:
http://www.nuvio.co.uk/img/setup_dmz.gif
(the grey is the proposal) and black is the existing network.
With the router going into the switch, will the IDS still detect intrusion. I only ask as ive never looked into IDS before.
Also, can someone clarify what it means when something is behind and infront of the firewall. Which side is which? :D
Regards
Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would be tempted to put it into the DMZ since you really want to monitor access to your publicly accessible servers (money makers) more than your internal lan.
There are Host based IDS clients that you could install on each server, but now your talking a whole new ballgame in the management of it all..
There are Host based IDS clients that you could install on each server, but now your talking a whole new ballgame in the management of it all..
ASKER
At £9000 each for the sensor, i dont think i will be buying two at the moment :D
So i should put the IDS sensor behind the Firewall, in the LAN.
Although im not completley sure about this. Could i put agents in the DMZ? Just so i know whats going on in there.
Regards
Rob