rhermes Tue, 08/26/2008 - 11:13
User Badges:
  • Gold, 750 points or more

One of the most important considerations to sensor placement is to place it inside the firewall. This will keep you from looking at events that would have been blocked by your firewall poilcy and allow you to spend your time looking at reall traffic entering your network.

If you use a VPN, placing the sensor on the unencrypted side is good too.

Farrukh Haroon Tue, 08/26/2008 - 12:10
User Badges:
  • Red, 2250 points or more

Another important point is to compare the throughput offered by the throughput with the one to be monitored. Otherwise it could be a real bottleneck for our network. This would also influence your deployment mode (Inline,Promiscuous etc.)


Regards


Farrukh

Farrukh Haroon Wed, 08/27/2008 - 06:24
User Badges:
  • Red, 2250 points or more

Can you be let us know about which 'issue' do you need the link?


Regards


Farrukh

rayroyalmontana Wed, 08/27/2008 - 06:33
User Badges:

I was looking for an article about where to place an IDS on a network.

Farrukh Haroon Wed, 08/27/2008 - 08:25
User Badges:
  • Red, 2250 points or more

I'm not aware of any such document on the Cisco website at least. Ill try to write a short description here.


Some places to use Promiscuous mode:


> When you fear that the sensor will be a bottleneck because of its limited throughput (if placed Inline) in each traffic flow.

> You want to protect a server farm subnet, but not all subnets in it. This is sort of related to the first point.

> You are concerned that the sensor deployment is not mature and it might block valid connections (False Negative).


Some places to use Inline mode:


> When you want the IPS to play a more 'active' role in the network and Deny packets as they pass through it. With promiscuous mode it is possible that the attack goes through before the sensor actually goes ahead and 'logs' into the blocking device and block its.

> When you have devices that are not supported for blocking, like non cisco routers etc. you would go for inline

> You want the sensor to have a 'better view' of the network


Some places to use Inline VLAN pair mode:


Same as inine, but you don't have enough physical interfaces to cover all physical segments. Also IDSM-2 is usually deployed in this fashion.


Please rate if helpful.


Regards


Farrukh

Actions

This Discussion