Understanding and Analyzing the Network

Understanding and Analyzing the Network

Intelligent IDS deployment requires detailed knowledge and analysis of the network as a whole. As we discussed in Chapter 1, this involves gathering and understanding attributes such as overall network size and topology, ingress and egress points, service locations, and general application flow parameters. In small environments this may be simple, but in large enterprise networks, a comprehensive appreciation of the routing and content switching foundation can be quite a task.

You should start with a map of the network, examining the topology from a routed or Layer 3 perspective. You need to gain an understanding of the routed environment first. As part of the audit, you should scrutinize active/active, redundant networks. Since asynchronous routing and switching can create havoc on IDS systems; the IDS sensor needs to inspect the entire dataflow or conversation to be effective. Understand the perimeter security devices where access may be permitted or denied. Also, you should understand the impact of IP version 6 and VPN encryption—both of these can defeat IDS. It may also be necessary to learn the Layer-2 design of the network, especially in large ATM or MPLS clouds, since communities of interest are often aggregated on the same physical network platform.

After full comprehension of the Layer-3 environment, you should work up the OSI model to Layer 7, the application layer. Make an overlay of the Layer-3 network map by placing services flow information on the routed links. This will help you understand which links in the network carry the most critical application traffic such as web or e-mail requests. It will also help you understand the next step, Identifying the Critical Infrastructure and Services.