Cisco IDS - Active vs. Passive
We do most of our higher-level network work here through a consulting firm. Recently, the company decided to upgrade one of our ASA's with IDS capabilities. Now that the license has been purchased, the consultants are telling us that we should never put the IDS into active mode, but instead should have someone monitor it regularly and then block any addresses that look like they are attempting something malicious through our firewall. My boss's boss is rather perplexed by this, having spent a great deal of money on this. He made a great analogy..."If I bought a 4-wheel drive truck and spent extra for the 4-wheel drive and then, as I was getting ready to drive away, the dealer told me never to engage the 4-wheel drive, I'd be pretty angry." I was wondering what everyone here thought. Is this accurate information or should we be looking to someone who is more experienced at configuring IDS to help us get this thing running in 4-wheel drive?
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog