Step 3: Sensor Deployment | Intrusion Prevention Fundamentals

In this phase, you use the plans from phase 2 to begin the actual implementation. You face four subtasks in this phase of the project:

Step 1.	Understand sensor CLI and IDM
Step 2.	Install sensors
Step 3.	Install and secure the IPS MC
Step 4.	Understand the management center

Understand Sensor CLI and IDM

The initial sensor installation involves configuring the sensor through the CLI. Using the CLI, you configure the basic network parameters and allow access to the sensors from your management system. You can also perform numerous sensor configuration tasks using the IDM, which is a graphical web-based interface that is part of the sensor software. Understanding both of these interfaces is vital to successfully deploying Cisco IPS sensors on your network.

Install Sensors

The physical deployment of the in-line sensors involves the following two steps:

Configuring the sensor
Cabling the sensor

Configuring the Sensor

Before you can connect an in-line sensor into your network, you need to enable the interfaces that are to be used for your in-line pairs. You also need to configure the network parameters for the command and control interface so that you can access the sensor from your management platform.

Note

From the sensor CLI, you need to configure a few basic parameters, such as the management interface characteristics. These parameters are configured by running the setup command. The remaining sensor configuration can be performed using the GUI management tools.

Cabling the Sensor

After the initial software configuration, you need to physically connect the in-line sensor at your deployment locations in the network. Typical in-line deployment locations include the following:

Between two routers
Between a firewall and a router
Between a switch and a router
Between a switch and a firewall

Install and Secure the IPS MC and Understand the Management Center

You should have designed your management architecture in the planning phase. Procure the necessary hardware and software, but before you actually build it, make sure it is going to be installed in a secure manner. It is critical to secure your IPS MC as much as possible. Security management servers are appealing targets for attackers. An attacker can use a compromised security management server for all kinds of nefarious purposes.

To secure the IPS MC, make sure it is protected with as many security countermeasures as possible. Chapter 2, "Signatures and Actions," describes many of these. For example, the IPS MC should at least be in a secure physical location with restricted access, protected by a firewall, and have a CSA running on it.

Note

Consult the IPS MC documentation to make sure that your countermeasures don't prevent it from working. For example, the sensors might use certain network ports to communicate with the management center. If your firewall blocks those connections, IPS MC cannot properly manage and monitor your sensors.

As soon as the security countermeasures are ready, consult your architecture plan and build your NIPS management solution.

The ACME project team worked with the security and server teams to securely implement the IPS MC. It attached the single server to the network it usually uses for management devices because that network is protected from the regular network. It also verified connectivity to the command and control interfaces on its deployed sensors.