Where to place IDS network sensors

After deciding to implement an IDS like Snort, determining your budget, choosing a product and understanding how NIDSes (network intrusion-detection systems) work in relation to network architectures (especially network switches and VLANs) you will need to figure out where to place the IDS sensors that actually "sniff" the wire and monitor your network traffic. To determine that, you need to ask yourself three more questions: What is my risk, what am I trying to monitor and protect, and how does the traffic flow in my environment?

As we discussed in the tip How to handle network design with switches and segments, intrusion detection systems and network switches don't get along, so you need to understa...

BROWSE BY TAG Network Security Tactics,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nd how traffic flows to and from the resources you need to protect in order to establish the best place(s) to monitor. One of the most obvious places to put an IDS sensor is near the firewall. But, do you put the network sensor inside the firewall, outside or both? If your goal is to see just what a bad neighborhood you've walked into when you connected to the Internet then by all means put an IDS sensor outside the firewall. Just make sure you harden it appropriately. If you're more interested in the potentially malicious traffic that has made it inside the perimeter, then monitor inside.

There are legitimate political, budgetary and research reasons to want to see all the "attacks" against your connection, but given the care and feeding any IDS like Snort requires, do yourself a favor and keep your IDS sensors on the inside of the firewall. We all know the Internet has a lot of evil traffic, so there's usually no need to waste the resources to prove it.

With the low capital cost of Snort (free) and the hardware to run it on (cheap) the real cost is your time and labor for implementation, configuration and ongoing monitoring. Ideally you want to have an IDS network sensor on your DMZ with all your public servers, on the LAN just inside the firewall and on your extranet if you have one, in that order. After that it depends on your environment. Consider your choke points, possible avenues of attack and your risk. Brainstorm for any possibly useful locations, prioritize them and then work down the list as resources allow. Any well-planned and well-tuned intrusion detection system will be an excellent addition to your defense-in-depth strategy. A poorly planned and noisy IDS will just be a nuisance.

ABOUT THE AUTHOR:

[IMAGE]JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.