Your unique network topology identifies which IPS sensors are the most effective devices to analyze the traffic on your network. Some of the factors that impact your IPS sensor selection and deployment include the following:
Your IPS sensors must monitor traffic, regardless of the unique topology of your network. Besides the amount of traffic that a sensor processes, two other factors significantly impact your choice of IPS sensor: the number of interfaces available on the sensor and the form factor of the sensor. All three of these aspects impact the cost and the efficiency of the sensors that you deploy on your network. Sensor Processing CapacityEach IPS sensor can process only a limited amount of network traffic. For example, Table 8-1 shows the bandwidth capacities for several Cisco IPS appliance sensors.
Different segments of your network support different amounts of network traffic. Your sensors must support the traffic at the specific location in the network at which they are deployed. If you have excess capacity on a sensor, it provides flexibility to handle more traffic as your network grows, although it also makes your NIPS installation more costly because the cost of a sensor is usually directly proportional to the amount of traffic that it can process. Another way to fully utilize the capacity of your IPS sensors is to use EtherChannel load balance traffic from multiple VLANs across the same trunk line. The raw bandwidth ratings on an IPS sensor can be misleading because the sensor can process different types of packets and protocols more efficiently than others. Therefore, besides the raw bandwidth that your IPS sensor can handle, you also need to consider the following factors about your network bandwidth when deploying IPS sensors:
The ratings indicate the type of traffic that was used to determine the maximum traffic analysis capacity of the sensor. For example, the Cisco IPS 4240 sensor supports a maximum traffic analysis capability of 250 Mbps. The rating is based on the following criteria:
Sensor InterfacesBesides capacity, your IPS sensors must also receive network traffic (to be analyzed) via one or more network interfaces. Providing multiple interfaces on a single sensor enables it to monitor multiple network locations. In-line processing (in many situations) requires two interfaces to monitor a single location in your network. Table 8-2 shows the default and maximum interfaces available for several Cisco IPS appliance sensors.
Note As use of in-line monitoring increases, the number of interfaces available on individual sensors keeps increasing. Furthermore, some IPS sensors also enable you to configure in-line processing using a single interface (known as "in-line on a stick"). Although having more network interfaces enables you to monitor more locations throughout your network, you do encounter a break-even point at which the processing capacity of the sensor makes more monitoring interfaces impractical. For example, suppose that you deploy a Cisco IPS 4240 sensor and use two interfaces for in-line monitoring and the other two interfaces to perform promiscuous monitoring at two other locations in your network. With this configuration, the monitoring interfaces can actually receive 3000 Mbps (1000 Mbps for the in-line pair and 1000 Mbps for each promiscuous interface if the network is totally saturated). Therefore, installing more interfaces on the sensor might not be practical because the potential capacity of the sensor is already being exceeded. Now suppose that you deploy the same Cisco IPS 4240 sensor, although this time, you configure two sets of in-line interface pairs on 100 Mbps interfaces. In this configuration, the monitoring interfaces can receive only a maximum of 200 Mbps (100 Mbps for each in-line pair). In this situation, a couple of more network interfaces can be practical (when using 100 Mbps interfaces). With two more interfaces, you can have a total of three in-line interface pairs. The maximum amount of traffic that these three in-line interface pairs can handle is 300 Mbps, similar to the first example that involved in-line and promiscuous monitoring utilizing on four network interfaces. Note The interfaces on the Cisco IPS appliances are 10/100/1000BASE-TX interfaces. Therefore, these interfaces can be connected to 10 Mbps, 100 Mbps, or 1000 Mbps interfaces. The sensor automatically detects the configuration speed for each monitoring interface. Understanding the types of interfaces connected to your sensor is important because even a single fully saturated 1000 Mbps promiscuous interface can easily exceed the analysis capacity of the Cisco IPS 4240 sensor. Sensor Form FactorThe final aspect to consider when you decide on the correct sensor is the network location where you plan to deploy your sensor. The common sensor form factors include the following:
An appliance sensor can be deployed in almost any network environment, but it does take up rack space. If you use other form factors, such as blade-based sensors, it might fit your network topology more appropriately, especially if rack space is limited. Standalone Appliance SensorsThe standalone appliance sensors provide the most flexibility when you deploy IPS sensors on your network. These sensors can be deployed at virtually any location in your network. The main drawback to the appliance sensor is that you must make rack space in which to place the sensor. The Cisco 4200 Series sensors are examples of appliance sensors. Blade-Based SensorsBlade-based sensors (line cards) enable you to take advantage of existing infrastructure devices to deploy your IPS devices. Blade-based sensors do not take up extra rack space, and they have the advantage of receiving traffic directly from the backplane of the infrastructure device in which it is deployed. One drawback of the blade-based sensors is that they can be costly if you do not already have the existing infrastructure devices deployed on your network; another drawback is limited flexibility in sensor deployment locations. Cisco supports the following different blade-based sensors platforms:
The IDSM-2 blade operates in the Catalyst 6500 Series family of switches. It provides a maximum of 600 Mbps of traffic analysis capacity. The network module is a line card that provides Cisco IPS functionality into Cisco 2800 or 3800 Series routers. The network module can analyze up to 45 Mbps of network traffic. The Cisco Adaptive Security Appliance (ASA) integrates a powerful suite of security technologies into a single platform. Some of the functionality built into the ASA includes the following:
The ASA can also incorporate additional specialized high-performance security services using Security Service Modules (SSMs). These SSMs utilize dedicated coprocessors to perform customized analysis of traffic flows. Advanced intrusion prevention functionality is provided by the AIP-SSM. The ASA AIP-SSM has the following models available:
The intrusion prevention traffic analysis capacity of the modules depends on the ASA appliance in which SSM is installed. Table 8-3 shows the different performance values for the two modules.
IPS Software Integrated into the OS on Infrastructure DevicesWhen the IPS software is integrated into the software of an existing infrastructure device, the functionality provided is usually limited compared to a standalone appliance sensor because the infrastructure device takes on extra duties and responsibilities. Depending on your network environment, this reduced functionality might not be a problem. Furthermore, because the IPS is part of OS on the infrastructure, deploying the integrated IPS functionality is usually more cost effective (especially for small networks). Newer versions of Cisco IOS (Cisco IOS Release 12.3T and later) incorporate much of the functionality that the appliance sensors provide. |