There are many possible places for an enterprise to place the IDS. Three of the most common and effective include the following:
Network perimeter Includes all that is internal to the network against all that is external. The perimeter equipment includes:
Figure 15-4 illustrates the network perimeter.
In this scenario, a network-based IDS should be placed at every entry point on the network perimeter; in this case, at the Access Server and firewall points.
Server farms The server farms are the segments of the network that host the servers; no client workstations exist in the server farm environment.
Figure 15-5 illustrates a server farm layout.
The server farm is a network concentration of servers providing resources to users, such as World Wide Web hosting, FTP servers, organization file servers, e-commerce servers, etc.
In this scenario, a network-based IDS should be placed at the entry point for both dedicated and dial-in users, as well as the entry point to the server farm. Further protection is afforded by placing host-based IDS systems on each server in the server farm.
Network backbone The network backbone provides access to various network areas. They can be low- or high-bandwidth, depending on the implementation. Avoiding backbone links may eliminate some network delay. Intruders would be looking for important systems on this type of network. Anomalous traffic such as port scanning and IP spoofing attempts should encourage a flag for the administrator to investigate.
Figure 15-6 illustrates regional network connections, with all traffic crossing a backbone as the traffic is forwarded from one region to the next.
In this scenario, a network-based IDS should be placed at the entry point for each regional network in the network backbone.