Your unique network topology identifies which IPS sensors are the most effective devices to analyze the traffic on your network. Some of the factors that impact your IPS sensor selection and deployment include the following:
The main factors to consider when you purchase a sensor to operate on your network include the following:
Depending on your unique network topology, you need to determine where you want to deploy your IPS sensors (within your network). When you make these decisions, you need to consider the form factor of the sensor to determine which type of sensor meets your needs. Some common sensor form factors include the following:
Regardless of the type of IPS sensor that you deploy on your network, your IPS sensors can process only traffic that they receive on one of their interfaces. Capturing network traffic for your IPS sensors is usually based on the following two categories:
In-line processing mode uses pairs of sensor interfaces. Because the sensor is bridging the network traffic at the link layer, you do not need to do any special capturing of the network traffic. Some typical locations for deploying in-line IPS include the following:
Promiscuous mode requires only a single sensor interface, although you must make sure that a copy of the traffic that's examined is passed the monitoring interface. Typical traffic capture devices that you use to pass traffic to your IPS sensors include the following:
Cisco switches provide the following three mechanisms to mirror traffic to your sensor's promiscuous interface:
After receiving network traffic, your IPS sensors must analyze that traffic and then perform certain actions based on the results of that analysis. IPS sensor network traffic analysis falls into the following categories:
After identifying potentially malicious activity or security policy violations, your IPS sensors perform specific configured actions. These actions are usually configured on a per signature basis and fall into the following categories:
To effectively use NIPS on your network, you need to effectively configure your IPS sensors and monitor the alerts and other signature actions. Managing your NIPS sensors normally falls into the following two categories:
Managing a few sensors can usually be accomplished on an individual sensor basis. If you deploy a large number of sensors across your network, configuring each sensor individually can become impractical and usually requires the deployment of a management tool to manage the various sensors on your network. For small sensor deployments, Cisco IPS sensors have both a CLI and web-based interface that you can use to configure individual sensors. To configure large sensor deployments, you need to use a tool such as the IPS MC. In both small and large deployments, you want to monitor the alerts across all your sensors so that you can correlate the events happening at various locations in your network. Cisco provides CS-MARS and Security Monitor to monitor both large sensor and small sensor deployments. |