Summary

Your unique network topology identifies which IPS sensors are the most effective devices to analyze the traffic on your network. Some of the factors that impact your IPS sensor selection and deployment include the following:

• Security budget

• Amount of network traffic

• Network topology

• Security staff to operate the components

The main factors to consider when you purchase a sensor to operate on your network include the following:

• Sensor cost

• Sensor processing capability

• Number of monitoring interfaces

Depending on your unique network topology, you need to determine where you want to deploy your IPS sensors (within your network). When you make these decisions, you need to consider the form factor of the sensor to determine which type of sensor meets your needs. Some common sensor form factors include the following:

• Standalone appliance sensor

• Blade-based sensor

• IPS software integrated into the OS on an infrastructure device

Regardless of the type of IPS sensor that you deploy on your network, your IPS sensors can process only traffic that they receive on one of their interfaces. Capturing network traffic for your IPS sensors is usually based on the following two categories:

• Capturing traffic for in-line mode

• Capturing traffic for promiscuous mode

In-line processing mode uses pairs of sensor interfaces. Because the sensor is bridging the network traffic at the link layer, you do not need to do any special capturing of the network traffic. Some typical locations for deploying in-line IPS include the following:

• Between two routers

• Between a firewall and a router

• Between a switch and a router

• Between a switch and a firewall

• Between two switches

Promiscuous mode requires only a single sensor interface, although you must make sure that a copy of the traffic that's examined is passed the monitoring interface. Typical traffic capture devices that you use to pass traffic to your IPS sensors include the following:

• Hubs

• Network taps

• Switches

Cisco switches provide the following three mechanisms to mirror traffic to your sensor's promiscuous interface:

• SPAN

• RSPAN

• VACL

After receiving network traffic, your IPS sensors must analyze that traffic and then perform certain actions based on the results of that analysis. IPS sensor network traffic analysis falls into the following categories:

• Atomic operations

• Stateful operations

• Protocol decode operations

• Anomaly operations

• Normalizing operations

After identifying potentially malicious activity or security policy violations, your IPS sensors perform specific configured actions. These actions are usually configured on a per signature basis and fall into the following categories:

• Alerting actions

• Logging actions

• Blocking actions

• Dropping actions

To effectively use NIPS on your network, you need to effectively configure your IPS sensors and monitor the alerts and other signature actions. Managing your NIPS sensors normally falls into the following two categories:

• Small sensor deployments

• Large sensor deployments

Managing a few sensors can usually be accomplished on an individual sensor basis. If you deploy a large number of sensors across your network, configuring each sensor individually can become impractical and usually requires the deployment of a management tool to manage the various sensors on your network.

For small sensor deployments, Cisco IPS sensors have both a CLI and web-based interface that you can use to configure individual sensors. To configure large sensor deployments, you need to use a tool such as the IPS MC.

In both small and large deployments, you want to monitor the alerts across all your sensors so that you can correlate the events happening at various locations in your network. Cisco provides CS-MARS and Security Monitor to monitor both large sensor and small sensor deployments.