08-26-2008 10:37 AM - edited 03-10-2019 04:16 AM
What factors should be considered when deciding where to place an IDS on a network?
08-26-2008 11:13 AM
One of the most important considerations to sensor placement is to place it inside the firewall. This will keep you from looking at events that would have been blocked by your firewall poilcy and allow you to spend your time looking at reall traffic entering your network.
If you use a VPN, placing the sensor on the unencrypted side is good too.
08-26-2008 12:10 PM
Another important point is to compare the throughput offered by the throughput with the one to be monitored. Otherwise it could be a real bottleneck for our network. This would also influence your deployment mode (Inline,Promiscuous etc.)
Regards
Farrukh
08-27-2008 03:21 AM
Can you provide a link to an article about this issue?
08-27-2008 06:24 AM
Can you be let us know about which 'issue' do you need the link?
Regards
Farrukh
08-27-2008 06:33 AM
I was looking for an article about where to place an IDS on a network.
08-27-2008 08:25 AM
I'm not aware of any such document on the Cisco website at least. Ill try to write a short description here.
Some places to use Promiscuous mode:
> When you fear that the sensor will be a bottleneck because of its limited throughput (if placed Inline) in each traffic flow.
> You want to protect a server farm subnet, but not all subnets in it. This is sort of related to the first point.
> You are concerned that the sensor deployment is not mature and it might block valid connections (False Negative).
Some places to use Inline mode:
> When you want the IPS to play a more 'active' role in the network and Deny packets as they pass through it. With promiscuous mode it is possible that the attack goes through before the sensor actually goes ahead and 'logs' into the blocking device and block its.
> When you have devices that are not supported for blocking, like non cisco routers etc. you would go for inline
> You want the sensor to have a 'better view' of the network
Some places to use Inline VLAN pair mode:
Same as inine, but you don't have enough physical interfaces to cover all physical segments. Also IDSM-2 is usually deployed in this fashion.
Please rate if helpful.
Regards
Farrukh
09-03-2008 09:48 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: