One of the most important considerations to sensor placement is to place it inside the firewall. This will keep you from looking at events that would have been blocked by your firewall poilcy and allow you to spend your time looking at reall traffic entering your network.
If you use a VPN, placing the sensor on the unencrypted side is good too.
Another important point is to compare the throughput offered by the throughput with the one to be monitored. Otherwise it could be a real bottleneck for our network. This would also influence your deployment mode (Inline,Promiscuous etc.)
I'm not aware of any such document on the Cisco website at least. Ill try to write a short description here.
Some places to use Promiscuous mode:
> When you fear that the sensor will be a bottleneck because of its limited throughput (if placed Inline) in each traffic flow.
> You want to protect a server farm subnet, but not all subnets in it. This is sort of related to the first point.
> You are concerned that the sensor deployment is not mature and it might block valid connections (False Negative).
Some places to use Inline mode:
> When you want the IPS to play a more 'active' role in the network and Deny packets as they pass through it. With promiscuous mode it is possible that the attack goes through before the sensor actually goes ahead and 'logs' into the blocking device and block its.
> When you have devices that are not supported for blocking, like non cisco routers etc. you would go for inline
> You want the sensor to have a 'better view' of the network
Some places to use Inline VLAN pair mode:
Same as inine, but you don't have enough physical interfaces to cover all physical segments. Also IDSM-2 is usually deployed in this fashion.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...