Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
13
Helpful
7
Replies

IDS Location

rayroyalmontana
Level 1
Level 1

‎08-26-2008 10:37 AM - edited ‎03-10-2019 04:16 AM

What factors should be considered when deciding where to place an IDS on a network?

Labels:
0 Helpful
7 Replies 7

rhermes
Level 7
Level 7

‎08-26-2008 11:13 AM

One of the most important considerations to sensor placement is to place it inside the firewall. This will keep you from looking at events that would have been blocked by your firewall poilcy and allow you to spend your time looking at reall traffic entering your network.

If you use a VPN, placing the sensor on the unencrypted side is good too.

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-26-2008 12:10 PM

Another important point is to compare the throughput offered by the throughput with the one to be monitored. Otherwise it could be a real bottleneck for our network. This would also influence your deployment mode (Inline,Promiscuous etc.)

Regards

Farrukh

0 Helpful

rayroyalmontana
Level 1
Level 1
In response to Farrukh Haroon

‎08-27-2008 03:21 AM

Can you provide a link to an article about this issue?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to rayroyalmontana

‎08-27-2008 06:24 AM

Can you be let us know about which 'issue' do you need the link?

Regards

Farrukh

0 Helpful

rayroyalmontana
Level 1
Level 1
In response to Farrukh Haroon

‎08-27-2008 06:33 AM

I was looking for an article about where to place an IDS on a network.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to rayroyalmontana

‎08-27-2008 08:25 AM

I'm not aware of any such document on the Cisco website at least. Ill try to write a short description here.

Some places to use Promiscuous mode:

> When you fear that the sensor will be a bottleneck because of its limited throughput (if placed Inline) in each traffic flow.

> You want to protect a server farm subnet, but not all subnets in it. This is sort of related to the first point.

> You are concerned that the sensor deployment is not mature and it might block valid connections (False Negative).

Some places to use Inline mode:

> When you want the IPS to play a more 'active' role in the network and Deny packets as they pass through it. With promiscuous mode it is possible that the attack goes through before the sensor actually goes ahead and 'logs' into the blocking device and block its.

> When you have devices that are not supported for blocking, like non cisco routers etc. you would go for inline

> You want the sensor to have a 'better view' of the network

Some places to use Inline VLAN pair mode:

Same as inine, but you don't have enough physical interfaces to cover all physical segments. Also IDSM-2 is usually deployed in this fashion.

Please rate if helpful.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card