Cisco Secure IDS Sensor Deployment
We are pleased to present Chapter 5 (in 4 parts) of Cisco Press' Cisco Secure Intrusion Detection System, dealing with IDS Sensor Deployment. Even if you are not using Cisco's technology for intrusion detection, the information contained within will be valuable to you as you ensure you have all the bases covered to assure security for your network. This first segment looks at all you need to know in preparing your deployment, including entry points into your network, critical network components, and security components.
Being a network-based intrusion detection system (IDS), Cisco Secure IDS relies on one or more sensors to monitor network traffic at selected locations throughout your network. These sensors represent the eyes of Cisco Secure IDS. Therefore, deployment of the sensors is crucial to a successful Cisco Secure IDS installation.
NOTE: An individual sensor contains two separate network interfaces. The sensor uses one of these interfaces to passively sniff all the network packets by placing the interface in Promiscuous mode. When an interface sniffs, it captures all the network packets that travel on the wire, not just the packets addressed to the system that do the sniffing. The sensor uses the other network interface for command and control traffic. To detect attacks, the sensor maintains a database of attack signatures. As packets traverse the network, the sensor examines each packet, attempting to match one of the signatures in its signature database. Whenever the network traffic matches one of the signatures, the sensor generates an alarm on its command and control interface.
In this chapter, you learn the following:
- To effectively deploy sensors in your network, you must analyze your network topology completely.
- After determining potential sensor installation points within your network, you need to decide how you want to configure those sensors. You can deploy each sensor in one of several different installation configurations, depending on the specific level of protection and capabilities needed.
Preparing for Deployment: Analyzing Your Network Topology
Attackers can launch exploits against any available resources on your network. Analyzing your network topology is crucial to defining all of your resources. Furthermore, deciding what information and resources you want to protect is the first step to creating a sensor deployment plan. Unless you understand your network topology thoroughly, you cannot comprehensively identify all the network resources that need protection. When examining your network topology, you must consider many factors:
- Entry points into your network
- Critical network components
- Remote networks
- Size and complexity of your network
- Security policy restrictions