Cisco Secure IDS Sensor Deployment - Page 4
Security components enhance the security of the network by limiting traffic flow and watching for attacks against the network. Common security devices include firewalls, IDS sensors, IDS management devices, and routers with access control lists.
Firewalls establish a security barrier between multiple networks. Normally, a firewall is installed to protect an internal network from unauthorized access. This makes them a prime target for attack.
Similarly, the IDS components continually monitor the network looking for signs of an attack. Hackers continually hunt for new methods to confuse and disrupt the operation of common intrusion detection systems. By disabling the intrusion detection system, an attacker can penetrate the network unseen (without raising the alarms that indicate an attack is in progress).
Many networks are composed of a central corporate network and multiple remote offices that communicate with the corporate network through WANs. Security at these remote facilities needs to be considered in your network analysis. Depending on the security posture of the remote sites, you might want to place a sensor to monitor the traffic traveling across the WAN links. Sometimes, remote facilities have independent connections to the Internet. All Internet connections definitely need to be monitored.
Size and Complexity of Your Network
The more complex your network is, the more likely it is that you need to deploy multiple sensors at various locations throughout your network. A large network also usually dictates the use of multiple sensors because each sensor is limited by a maximum amount of traffic that it can monitor. If your Internet network connection is a multi-gigabit pipe, a single sensor cannot currently handle all the traffic that your fully loaded Internet connection can deliver to your network.
Considering Security Policy Restrictions
Sometimes, sensors are placed in your network to verify compliance with your defined security policy. An excellent example of this is placing a sensor on the inside and the outside of a firewall.
The sensors labeled Sensor 1 and Sensor 5 in Figure 5-1 illustrate this setup. Sensor 1 monitors all traffic that is headed to the protected network. It detects all the attacks sent toward the protected network, even though most of the attacks can be prevented by the firewall. Sensor 5, however, monitors all the internal traffic. This represents traffic that manages to make it through the firewall from the outside, as well as traffic generated by internal hosts. Both sensors can detect security policy violations. Sensor 5 monitors traffic that makes it into the protected network, whereas Sensor 1 monitors the traffic that leaves the protected network.
Our next segment from Cisco Press' Cisco Secure Intrusion Detection System will deal with executing the deployment.