Cisco Secure IDS Sensor Deployment - Page 2
Entry Points into Your Network
All the points where data enters your network represent potential locations at which an attacker can gain access to your network. You need to verify that each entry point is adequately monitored. Not monitoring an entry point into your network allows an attacker to penetrate your network undetected by your IDS. Common entry points into most networks include the following:
- Remote access configurations
Internet Entry Points
Your networks Internet connection makes your network visible to the entire Internet. Hackers worldwide can attempt to gain access to your network through this entry point. With most corporate networks, access to the Internet is directed through a single router. This device is known as a perimeter router. By placing a sensor behind this device, you can monitor all traffic (including attacks) destined for your corporate network. If your network contains multiple perimeter routers, you might need to use multiple sensors, one to watch each Internet entry point into your network.
NOTE: As of January, 2001, current estimates project that 100 million hosts are connected to the Internet, with more than 350 million Internet users worldwide. Any of these users can potentially attack your network through your Internet connection.
Extranet Entry Points
Many corporate networks have special connections to business partners networks. Traffic from these business partners networks does not always travel through your networks perimeter device; therefore, it is important to make sure that these entry points are also monitored effectively. By penetrating your business partners networks, an attacker can use the extranet to infiltrate your network. You usually have little or no control over the security of your business partners networks. Furthermore, if an attacker penetrates your network and then uses the extranet link to attack one of your business partners, you are faced with a potential liability issue.
Intranet Separation Points
Intranets represent internal divisions within your network. These divisions might be organizational or functional. Sometimes, different departments within your network require different security considerations, depending on the data and resources that they need to access or protect. Usually, these internal divisions are already separated by a firewall, signaling different security levels between the different networks. Other times, the network administrator uses access control lists (ACLs) on the router between network segments to enforce separate security zones. Placing a sensor between these networks (in front of the firewall or router) enables you to monitor the traffic between the separate security zones and verify compliance with your defined security policy.
Sometimes, you also might want to install a sensor between network segments that have complete access to each other. In this situation, you want the sensor to monitor the types of traffic between the different networks, even though by default you have not established any physical barriers to traffic flow. However, any attacks between the two networks are quickly detected.
Remote Access Entry Points
Most networks provide a means to access the network through a dial-up phone line. This access allows corporate users to access network functionality, such as e-mail, when away from the office. Although this enhanced functionality is useful, it also opens up another avenue for an attacker to exploit. You probably need to use a sensor to monitor the network traffic from your remote access server, just in case a hacker can defeat your remote access authentication mechanism.
Many remote users use home systems that connect continuously through high-speed Internet connections, such as cable modems. Because these systems are usually minimally protected, attackers frequently target and compromise these home systems, which might also lead to a compromise of your remote access mechanism. Other times, stolen laptops reveal a wealth of information on how to access your network. Therefore, even if you trust your users and remote access mechanisms, it is beneficial to monitor your remote access servers with IDS sensors.