[c-nsp] IDS Recommendations - Cisco?

[Paul Stewart]

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a lot of
grief getting them running only to be faced with hardware failure problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the servers
already.  

Our approach is two staged - first is to limit the exposure and secondly is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want to
bore everyone with our security policies ;)

Thanks,

Paul