|[ LiB ]|
Determining sensor placement in your environment involves pondering and answering some important questions. You can place sensors practically anywhere to monitor and detect malice traffic, but they should always be strategically located where they can monitor the most possible traffic. Two typical locations are in front of the firewall and directly behind the firewall.
Figure 6.1 displays a sensor interface placed in front of a firewall. This location is a very good location to monitor traffic traveling to and from external networks. Also, in this location, the sensor can monitor attack attempts on your firewall. If an attack is coming from the external network, the sensor placed in front of the firewall should be able pick it up. This placement leaves the internal traffic and network unattended, however; for that reason, it isn't the only location where you should put a sensor. Sensors in this location are potentially unprotected and vulnerable to attacks themselves , so keep a closer eye on their logs for attacks directed at the sensor.
Most attack attempts come from the external side of a firewall and are blocked by the firewall itself. The firewall provides little or no protection, however, against a virus or attacker on the inside of the network. So sensor placement on the internal side of the networkbehind the firewallis even more important than such placement on the external side of a firewall. Figure 6.2 displays a sensor interface located behind a firewall. This location enables the sensor to monitor all visible internal traffic; the most common location for sensor placement is behind the firewall. Always remember, however, that the most important sensors aren't necessarily behind the firewall; every site has different security requirements.
Most businesses now have more than just one network segmentlarge companies might have hundreds of networks segments that are physically using VLANs. To provide the best protection, you should place sensors on every segment needing security protection. Figure 6.3 displays sensors in a multiple network environment. Notice that the sensors' management interfaces are connected to the same network segment that contains a management station. The management station typically runs Cisco software that's used to configure and pull sensor log details.
Management is always a factor in sensor placement. Each sensor has at least two interfaces, one for sensing and the other for management. The latter is also known as the command and control interface. These interfaces should all be connected on a private network that contains only management stations such as the IDS Event Viewer (IEV), Security Monitor, and Intrusion Detection System Management Console (IDS MC). Also, the protected network could include connections to managed devices such as routers or firewalls. These connections let you send ACL and shun commands to the managed device to block attacking hosts or networks. Blocking is discussed further in Chapter 11, "IP Blocking Configuration."
|[ LiB ]|