Placing
Sensors Based on Network and Services Function
With technological changes and new threats,
the placement of intrusion detection systems has evolved over time. Initially,
IDSs were typically deployed only at the Internet ingress/egress point, outside
the company firewall. With the understanding that perhaps most malicious
activity emanates from within an organization, this approach proved inadequate
in monitoring all security threats. Now, with cost-effective, more advanced
management techniques and software, an increased number of IDSs can typically be
supported.
|
Note |
When placing an IDS, don't forget to consider how to connect
to the devices for management purposes once they are placed in the network.
Security architects should design and build efficient and reliable networks over
which to manage the security infrastructure. |
With the Cisco IDSM sensor modules and 4250 XL sensors, it is
often possible to place IDS in core network environments. In many ways, this
makes good sense, since a lot of traffic traverses the core network in many
network architectures and it is simply not feasible to position IDS in every
distribution and/or access device. If the IDS deployed in an organization can
handle the core network speeds, it is generally recommended to place equipment
there.
IDSs should also be positioned near the areas considered as
critical in the previous steps. This may mean that IDSs are deployed on DMZs,
above or below firewalls, and near alternative network access locations such as
RAS or WAP segments. Let's look at a couple examples that illustrate the
placement of an IDS.
Sections
Comments (0 posted)
Syndication
