Cisco Secure IDS Sensor Deployment - Page 3
Critical Network Components
Determining critical components on your network is vital to a comprehensive analysis of your network topology. A hacker usually views your critical network components as trophies. Compromising a critical component also poses a significant threat to the entire network. Critical components fall into several categories:
- Servers (DNS, HTTP, CA, NFS, and so on)
- Infrastructure (routers, switches, hubs, and so on)
- Security components (firewalls, IDS components, and so on)
NOTE: Blocking, or device management, refers to the process whereby the IDS sensor can dynamically update the access control lists on a router to block current and future traffic coming to the router from an attacking host.
Network servers represent the workhorses in your network. Typical services provided by your servers include name resolution, authentication, e-mail, and corporate Web pages. Monitoring access to these valuable network components is vital to a comprehensive security policy.
Many servers exist on a typical network. Some of those servers are as follows:
- Domain Name System (DNS) servers
- Dynamic Host Configuration Protocol (DHCP) servers
- Hypertext Transfer Protocol (HTTP) servers
- Windows domain controllers
- Certificate Authority (CA) servers
- E-mail servers
- Network File System (NFS) servers
The network infrastructure represents the devices that transfer data or packets between the hosts on the network. Common infrastructure devices include routers, switches, gateways, and hubs. Without these devices, the individual hosts on your network are isolated entities that are incapable of communicating with each other.
Routers transfer traffic between different network segments. When a router stops functioning, traffic flow between connected networks ceases. Your network is probably composed of several internal routers and one or more perimeter routers.
Switches transfer traffic between hosts located on the same network segment. Switches provide minimal security by sending nonbroadcast traffic to only specific ports on the switch. If a switch is disabled, it can cease to send traffic, resulting in a denial of service (DoS). In other situations, a switch can fail in an open state. In this open state, it sends all network packets to every port on the switch, essentially converting the switch into a hub.
NOTE: Hubs also transfer traffic between hosts located on the same network. Unlike switches, however, hubs pass all the traffic to every port on the switch. Not only does this generate performance problems, it also reduces the security of the network by enabling any host on the segment to watch the traffic going to other hosts on the network.