Assume you are adding a NIDS to a three-interface firewall design. If you have budget for only one sensor, where should it go?

If you have budget for only one sensor, the answer varies depending on your firewall policy and the security sensitivity of the devices on your public services segment. The default answer is to put it on the public services segment because that is where the most publicly reachable systems can be found.

Assume the same design as the previous question, but now you have budget for two NIDS sensors. Where do you put them?

The right answer is to put one on the public services segment and another on the segment connecting your firewall to the internal network.

Your boss has asked you to select a device to provide connectivity to 50 branch offices. Each branch office requires VPN connectivity, routing, firewalling, and an IDS. Budget and manageability are key concerns. Which device, or devices, should you recommend?

The answer to this question depends on a number of factors. What is the performance requirement at each branch? Which traffic types will be passing over the VPN? Will a central team manage the entire connection, or do you have dedicated security staff for the security components? Based on the answers to these questions, you can wind up with one of two options. First, deploy a security device (VPN/firewall) and a router as separate components. Second, deploy a router with integrated security. The latter option is preferable if the performance requirements can be met by the router and the teams responsible for the different elements of the connection are happy with the management interfaces the router provides.

Which future technology might make using NIDS to stop attacks more viable?

Inline NIDS is the most likely candidate. However, figuring out how to stop false positives (and negatives) still must be solved. Putting NIDS inline just exacerbates the problem rather than making it go away.

When might you want to have more than one public services segment on your Internet edge?

When you have services that have different trust levels and access to the rest of the network. Using private VLANs can mitigate the risk of intermingling these systems if having multiple segments isn't an option. See Chapter 6, "General Design Considerations," for more details.

What is the most important component of any security technology deployed on an open source, noncommercially supported platform?

Ensuring that your company maintains thorough documentation that is kept up-to-date is an important component of any security plan and is absolutely essential for those involving open source tools with no commercial support.