9.5 IDS Placement


9.5 IDS Placement

Placement of the IDS depends upon the number of IDSs that you have. If, for example, you only have resources for a single IDS, the commonly preferred method is to place the IDS between your external router and your firewall. This placement will ensure that all traffic will be inspected for attacks before it is filtered by your firewall. The hope is to have the IDS serve as an early warning system for your network and alert you to the threats that your firewall is facing. It is always nice to know if someone is trying to break into your network.

The primary disadvantage of this configuration alone is that a normal network will generate a great deal of alerts. Because you do not have any method of knowing, with certainty, which attacks succeed and which fail, the number of alerts tends to increase the sensitivity of network administrators and cause them to spend a great deal of time investigating IDS reports.

Some make good arguments that the best position for placing an IDS is just inside your firewall. The logic of this placement is that the management of the IDS will be that much less because, presumably, most of the suspicious traffic will be blocked by the firewall. Placed internal to your network in line with your firewall, the IDS serves as an important safety check on the configuration and performance of your firewall. This placement lets you know if someone's attempts to break into your network are successful.

While the placement of a single IDS internal to the network allows network administrators to concentrate only on the threats that have managed to circumvent the firewall itself, it does somewhat limit their view of what is going on outside their network. Thus, attacks directed at the firewall itself, for example, may go undetected.

Because a single management station can support multiple sensors, it is common for an organization to quell the debate on optimal IDS placement relative to the firewall by placing an IDS sensor on each side of the firewall. This allows the comparison between knowing what attacks your network is facing along with the assurance of knowing exactly what your firewall is protecting you from. If resources allow, the IDS can then be placed in other strategic locations on the network. The most common secondary locations are on the DMZ and on any server farms that may be located on the network. For maximum visibility of network traffic, IDS sensors can also be placed on host segments of the network. As with any security decision, the number and placement of IDS sensors should reflect the security priorities of the organization itself.

In all cases, an IDS should be configured in "stealth" mode. Stealth mode means omitting the IP configuration of the network interface card that performs the monitoring of the network traffic. Configuring the IDS without an IP address prevents anyone from making a connection to or even discovering the existence of the IDS. The sensor is thus protected from the very network scans and attacks it is attempting to detect.

Of course, removing the IP address from an interface prevents the interface from being used by an attacker, but it also prevents the interface from being used by a network to administer the IDS. This is of particular importance when a network has several IDS sensors placed about the network and collects the sensor information at a central management station. To protect the IDS sensor and still remotely manage the IDS itself, most IDSs have two network interfaces. One interface is used as the sensor and is configured without an IP address. The second interface usually connects to a separate LAN that has the sole purpose of collecting information from and managing the various IDS stations. An example of this configuration with three IDS sensors is shown in Exhibit 3.

Exhibit 3: Create a Separate LAN between the IDS Sensors and Management Station

start example

click to expand

end example




Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net