IDP IPS Design

Unanswered Question
Apr 9th, 2007
User Badges:

Where is the best place to put IDS/IPS device? For example, outside/inside of the Firewall?

Does Cisco has any recommendation?

Does anybody has good design to share with?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
norriscr1 Tue, 04/10/2007 - 06:53
User Badges:

There's probably not a "1 size fits all" answer here. If you have unlimited $$$ then you could sprinkle sensors all over you network but I'm guessing that's not the case.

As such your going to need to take a few steps that will help you design your IDS/P deployment.

First you'll need to map out your network and then decide what assets are the most critical. one place where most people will deploy some IDS/P is in a DMZ. This is an obvious choice as the assets there are accessed by untrusted sources.

Another good spot is behind the firewall. Assuming that the sensor can handle the bandwidth this will let you see traffic coming in from the DMZ(s) and going out from the trusted networks. You'll be able to see things like traffic from PCs infected with Zombies and the like on this sensor.

Next if you have your "critical" assets (say like DB servers and the like) segmented off on their own internal network then putting a sensor where it can see traffic going to/from them makes good sense too. This will again give you a good look into what if any attacks are being directed at them. If it's a server in the DMZ you'll already pick that up on the DNZ sensor but the one near you critical assets will also show any infected PCs or hosts on the inside trying to hit them.

I don't normally put a sensor on the "outside" as there's not much value in that. There's way too much data there to handle and if 90% of the traffic is being dropped by your firewall rules why bother worrying about that anyway? Putting sensors in the firewall like the AIP-SSMs or putting external sensors where they can see the other firewall interfaces will show you the same traffic minus all the junk that gets dropped by not matching a rule.

Hope this helps. I know it's very general but you really need a detailed map of your network topology and traffic flows to make the best choices where sensors should be.

tunemore1 Tue, 04/10/2007 - 11:51
User Badges:

My post was too general and you answered very well. I should have asked a bit more clearly.

I am interested in Cisco 4200 in particular. Even though I have pretty good experience in ASA/PIX, I have never use cisco IPS/IDS devices before.

We are thinking about putting 4200 between ASA and inside network. But I am a bit worry about inlining. What happen if IPS shutting down "good" traffic? Can we pass through the packets without inspecting?

I like to know whether cisco has any design recommendation. As you all know, searching on Cisco site is fiding a needle in haystack.


norriscr1 Tue, 04/10/2007 - 12:01
User Badges:

Don't worry too much about shutting down "good" traffic. When you start you can set all signatures to "Produce Alert" only. That will give you some time to see what might get blocked if you enable packet dropping/blocking.

Make sure you have given the sensor time to see all possible traffic. If you have certain applications or processes that only run occasionally, like end of month, make sure you include them in your testing.

You should also read up on failure options which differs for each model.


This Discussion