Tip

Where to place IDS network sensors

After deciding to implement an IDS like Snort, determining your budget, choosing a product and understanding how NIDSes (network intrusion-detection systems) work in relation to network architectures (especially

    Requires Free Membership to View

    Login

network switches and VLANs) you will need to figure out where to place the IDS sensors that actually "sniff" the wire and monitor your network traffic. To determine that, you need to ask yourself three more questions: What is my risk, what am I trying to monitor and protect, and how does the traffic flow in my environment?

More information

Learn more about network firewalls with this comprehensive guide.

Learn about the ins and outs of intrusion detection.
As we discussed in the tip How to handle network design with switches and segments, intrusion detection systems and network switches don't get along, so you need to understand how traffic flows to and from the resources you need to protect in order to establish the best place(s) to monitor. One of the most obvious places to put an IDS sensor is near the firewall. But, do you put the network sensor inside the firewall, outside or both? If your goal is to see just what a bad neighborhood you've walked into when you connected to the Internet then by all means put an IDS sensor outside the firewall. Just make sure you harden it appropriately. If you're more interested in the potentially malicious traffic that has made it inside the perimeter, then monitor inside.

There are legitimate political, budgetary and research reasons to want to see all the "attacks" against your connection, but given the care and feeding any IDS like Snort requires, do yourself a favor and keep your IDS sensors on the inside of the firewall. We all know the Internet has a lot of evil traffic, so there's usually no need to waste the resources to prove it.

With the low capital cost of Snort (free) and the hardware to run it on (cheap) the real cost is your time and labor for implementation, configuration and ongoing monitoring. Ideally you want to have an IDS network sensor on your DMZ with all your public servers, on the LAN just inside the firewall and on your extranet if you have one, in that order. After that it depends on your environment. Consider your choke points, possible avenues of attack and your risk. Brainstorm for any possibly useful locations, prioritize them and then work down the list as resources allow. Any well-planned and well-tuned intrusion detection system will be an excellent addition to your defense-in-depth strategy. A poorly planned and noisy IDS will just be a nuisance.


SNORT INTRUSION DETECTION AND PREVENTION TECHNICAL GUIDE

  Introduction
  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort VRT rules
  Using IDS rules to test Snort

ABOUT THE AUTHOR:
JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was first published in May 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top