Question:
I want to position the IDS on the inside of the firewall going to the net. Do I port span the port going to the net into the sniffing port on the IDS,
Answer:
If the firewall's internal port is connected to a switch on your internal network, then yes. In the switch configuration you will want to span the port connected to the firewall to the sniffing port of the sensor. When you setup the span be sure to setup the span for both rx and tx traffic. This way the sensor will see both the packets from internal network going to the internet, as well as the response packets from the internet coming back into the internal network.
Question:
then connect the other interface (command int) right into the same switch to add it to the network for management etc?
Answer:
If your management network is through that same switch then yes. We generally recommend in these situations that a specific vlan (a specific subnet) be reserved for your management network for managing your security and networking devices. So the switch's port for the command and control of the sensor would be assigned to the vlan for the security management network.
Question:
Also, what is the best way to view the events? I noticed you can view them via the IDS Device Manager, but, does it ship with software that allows remote event management?
Answer:
IDM and the CLI are the only viewers shipped with the sensor, BUT there is a free GUI based alarm viewer (IEV) that can be downloaded separately and installed on a windows box.
The instructions for using IEV are in the same set of documents for IDM.
There is a link for the IEV downloads near the bottom of the IDS updates page:
http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/
In addition you could purchase VMS 2.2 which contains the Security Monitor utility which can also be used for viewing IDS alerts.
