Sensor Placement
First, you analyzed the topology of your network to understand the paths that an attacker can use to gain access to your network. Then you identified critical components because they will probably be targeted by many of the attacks against your network. Now it is time to consider where you need to place Cisco IDS sensors on your network to watch for potential hostile activity. To provide thorough IDS coverage of your network, you need to watch for intrusive activity at all of the common functional boundaries on your network. Figure 1 illustrates a typical network configuration.
){kind=link}
Figure 1 Typical network configuration
Examining Figure 1, you can see that the major areas that you need to consider placing IDS sensors are:
- Perimeter protection
- Extranets
- Remote access
- Intranets
Sensors 1 and 2 in Figure 1 are watching the perimeter of the network. Usually, this perimeter is protected by a firewall. Therefore, Sensor 1 is located outside the firewall so that it can monitor all the attacks that are launched against your network from the untrusted network. Sensor 2 is also watching for attacks against your network from the untrusted network. However, it will only observe attacks that have successfully penetrated the firewall.
Sensor 3 in Figure 1 is positioned to monitor the traffic between the protected network and a business partner's network. Any attacks originating from your business partner (or launched from your network) will be observed by this sensor. Sensor 4 provides this same protection, but for traffic originating from your remote access users.
Sensors 5 and 6 in Figure 1 illustrate the way IDS sensors can be used to monitor the flow of traffic between different internal groups on the network. Sensor 5 is protecting the Engineering network, whereas Sensor 6 is protecting the Finance network.