banner



Home  ›  When Deploying Sensors, Collectors, And Filters, Where Should They Be Placed In The Network?

When Deploying Sensors, Collectors, And Filters, Where Should They Be Placed In The Network?

Written By Tuesday, April 12, 2022 Add Comment Edit

Sensor Deployment Considerations

Extensive planning and preparation are required before deploying sensors on your internetwork. Until some auditing and planning are done, yous can't even be certain which sensors are needed. Before y'all can begin installing your sensors, you must start understand where and how your sensors should be installed. Consider the following factors when you lot programme the deployment strategy for your network sensors:

  • Network entry points

  • Network size and complexity

  • Amount and type of traffic to be monitored

While each network has its own characteristics and caveats, some common strategies take worked for other Security Engineers across many different and unique network infrastructures. The strategy you choose depends on what you lot want your intrusion detection system to accomplish. Some IDS systems allow sensors to manage perimeter devices such every bit routers and firewalls, while other IDS systems are engineered to exist passive and only monitor the traffic and actions taking identify on the network. Your security policy should dictate the strategy you'll utilise in engineering your IDS environment and deciding on a sensor deployment strategy.

Network Entry Points

The sensor is designed to monitor all traffic crossing a given network segment. You must consider all external network connections and remote access points you want to protect. The 4 basic entry points to consider are illustrated in Figure 25-1. Each of the four network entry locations includes the following:


Figure 25-ane: Sensor deployment at network entry points

  • Internet Connections

  • Extranets

  • Intranets

  • Remote Access

The near common sensor deployment location is between the trusted internal network and the Cyberspace. As seen in Figure 25-1, sensor 1 is located betwixt the trusted network and the Internet. This deployment strategy is referred to as perimeter protection and the sensor is usually paired with one or more firewalls to enforce security policies.

Cyberspace Perimeter Protection Deployment

Different strategies can be used when deploying sensors to monitor perimeter Internet connections. Sensors can be placed in front of a filtering router or a firewall, or they tin can be placed behind the filtering router or firewall. For the highest level of protection, multiple sensors tin be used: 1 in forepart of the router/firewall and another behind the router/firewall. Every bit ever, advantages and disadvantages exist to each possible physical configuration.

Monitoring Unfiltered Traffic

The actual physical placement of the sensor is unimportant. What the sensors are monitoring and where the control interfaces are connected is what'southward important. As seen in Effigy 25-ii, the sensor has been logically placed in front of the filtering router past connecting the monitoring interface between the ISP router and the filtering router. In this example, the outermost router is the filtering router/firewall. The sensor monitors all incoming and outgoing traffic, only inbound traffic from the Internet is monitored before it's been filtered by the firewall. If y'all desire (or need) to see all intrusion or denial of service (DoS) attempts before they're filtered, you should consider this deployment strategy.


Effigy 25-2: Sensor in front of a filtering device

Because the sensor is placed in front of the filtering device, it will monitor all inbound traffic, including traffic that might be dropped at the filtering device. Another weakness to this deployment strategy is internal network traffic isn't monitored. Hackers could accept advantage of this weakness and assail your network resources from an internal host, which would go undetected by the sensor placed in front of the filtering device.

Monitoring Filtered Traffic

Sensors can also exist placed behind the filtering router or firewall. Effigy 25-3 illustrates a common Internet connexion where the sensor'due south monitoring interface is located backside the filtering router. The command interface is connected to the filtering device to let for device management. This deployment strategy is often called a firewall sandwich, because the sensor has an interface continued to the interior network and the control interface is continued to a firewall. Therefore, the firewall or filtering device is sandwiched between the sensors' two interfaces. A firewall sandwich is the Cisco preferred deployment method of using CIDS sensors in conjunction with a firewall.


Figure 25-iii: Sensor behind a filtering device

Placing a sensor's monitoring interface behind a filtering router or firewall prevents the sensor from monitoring traffic the filtering router rejects. 1 disadvantage to this placement strategy is the sensor is unaware of any policy violations the filtering device stops. To compensate for this, your firewall or filtering router should accept some mechanism to notify security personnel when security violations are attempted. To provide the highest level of protection, you can cull to take sensor's located in front of and behind the filtering device.

Monitoring Both Filtered and Unfiltered Traffic

To create the highest security posture, you lot tin can install a sensor on the inside and the outside of your Internet filtering device. One sensor volition monitor all incoming Net traffic before existence filtered and another sensor will monitor internal traffic, as well as all incoming filtered Internet traffic. The only disadvantage to this configuration is the cost associated with purchasing and managing the additional sensors.

Extranets' Business Partner Networks

Many companies with medium-to-big networks have connections to their concern partner networks. These connections include network extensions that connect to vendors, customer companies, and governmental agencies. Yous might or might not have control over the security policies implemented over these connections. Intruders could manipulate their way into your business partner'due south networks, and and then leverage those connections to compromise your network. In addition, you want to prevent anyone from using your network to set on your business partners. You should deploy sensors to monitor all incoming and outgoing traffic to all business organization partner networks.

Intranets' Business Divisions

Many large corporations have a hierarchical network design consisting of many different divisional networks, all of which connect to a cardinal corporate backbone. Sensors tin can exist placed at these network boundaries to monitor traffic crossing from one divisional network to some other. Different departments unremarkably take different security policies. For case, company A, an insurance company, could have many dissimilar departments with different security policies. The partitioning of the company that processes medical records must adhere to strict governmental security policies, while company A's billing department isn't regulated and tin can have a less-strict security policy. Sensors can be placed betwixt these two departments to validate that the proper security measures are in place.

Remote Access Networks

Near networks provide a mechanism that allows access to the company network for remote users. This remote admission expanse represents another critical entry point into your network. Hackers will attempt to find and exploit any mechanisms that provide admission into your protected network. Remote admission networks and servers are a common target of intruders and many intrusions are initiated from these resources. You lot should monitor all remote access mechanisms, such as servers, VPNs, and dial-up accounts. Placing a sensor between the core network and the remote access network allows security administrators to view and monitor remote incoming traffic.

Network Size and Complexity

The larger and more circuitous your network, the more probable y'all'll be forced to deploy multiple sensors throughout the internetwork. Some visitor departments manage their own Net and business partner connections, as well as security policies. When the network and security management lacks central control, you're forced to increase the number of sensor and manager platforms to monitor your network threats properly. Thankfully, CIDS tin can exist centrally or locally managed, but the more distributed the network, the higher the cost associated with protecting the entire network.

The Corporeality and Type of Traffic

While some models of the 4200 series network sensor appliance are capable of monitoring upward to 500 Mbps, no sensors are capable of monitoring gigabit or multi-gigabit connections. Some network blueprint changes may be required to allow for the inclusion of your intrusion detection organisation.

When Deploying Sensors, Collectors, And Filters, Where Should They Be Placed In The Network?,

Source: http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+V+Intrusion+Detection+Systems+IDS/Chapter+25+Sensor+Installation+and+Configuration/Sensor+Deployment+Considerations/

Posted by: nguyencreformen.blogspot.com

0 Response to "When Deploying Sensors, Collectors, And Filters, Where Should They Be Placed In The Network?"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel