IDS Sensor Placement IDS Sensor Placement IDS placement

IDS Sensor Placement

IDS Sensor Placement Ø IDS placement means where to fit IDS in your network from a network architecture standpoint. Ø It can be difficult to balance your desire to monitor as much of your network as possible with financial and staffing limitations. Ø Now we will discuss the IDS sensor placement. Ø We will also look at the need for having multiple IDS sensors and where they are typically placed in a network. Ø We'll also discuss some issues that can affect sensor placement, as well as the advantages of implementing a separate IDS management network.

Deploying Multiple Network Sensors Ø In many environments, you should deploy multiple IDS sensors. Each sensor generally monitors a single network segment. Ø In a small organization with a simple network architecture and limited traffic, a single sensor might be adequate, although more than one might still be advisable in high-security situations. Ø In larger environments particularly those with many network segments, those that offer substantial Internet-based services, and those with multiple Internet access points multiple sensors are almost certainly needed to adequately monitor network traffic.

Deploying Multiple Network Sensors Ø Deploying more intrusion detection sensors usually produces better results. Ø By deploying sensors on various network segments, you can tune each of them to the traffic you typically see on that segment the type of hosts that use it and the services and protocols that are traversing it. Ø You would probably tune a sensor on an Internet-connected segment much differently than you would tune one that is monitoring traffic between two tightly secured internal portions of your network.

Deploying Multiple Network Sensors Ø If you deploy only one sensor, the amount of tuning you can do is generally quite limited. Of course, if you deploy multiple sensors, you need to be prepared to handle the increased number of alerts that will be generated. Ø Placing additional sensors on the network is not very helpful if administrators do not have time to maintain and monitor them. Ø Another reason for using multiple sensors is the fault tolerance of your IDS.

Placing Sensors Near Filtering Devices Ø Typically, you deploy IDS sensors, which are often paired with firewalls or packet filters, near Internet access points. Ø Sometimes you place a sensor on one side of the filtering device, and sometimes on both sides. For example, an Internet firewall might have an IDS sensor on the external network segment to identify all suspicious activity, and a second IDS sensor on the internal network segment that can identify all suspicious activity that passes through the firewall from the outside. Ø If possible, deploy sensors on both sides of firewalls and packet filters. However,

Placing Sensors Near Filtering Devices Ø if financial or other resource constraints limit you to one sensor per filtering device, It's often recommended that the sensor be placed on the outside network so that it can detect all attacks, including those that don't get through the filtering. Ø However, in some cases, you might prefer to put the sensor on the inside network. Ø Sensors on an outside network, particularly one that is connected to the Internet, are more likely to be attacked, and they're also going to process much more traffic than a sensor on an inside network.

Placing Sensors Near Filtering Devices Ø if your staff has limited time to perform intrusion analysis and can only address the most serious threats, putting the sensor on the inside network collects data and generates alerts only on attacks that get into the network. Ø Another advantage to putting a sensor on the inside network is that it can help you determine whether your filtering device is misconfigured. Ø If you're limited to one sensor, your firewall policies might be relevant to its placement. you should also consider issues involving outgoing traffic from compromised or malicious hosts within your own environment.

Placing Sensors Near Filtering Devices Ø If your firewall has a default deny policy for outgoing traffic, a sensor on the inside network is required to identify attacks that your internal hosts attempt against external hosts but that your firewall blocks. Ø If your firewall has a default allow policy for outgoing traffic, the sensor's location is much less important (as long as there's one near your firewall). Ø Another factor in sensor deployment is the volume of data to be processed. If a network segment has an extremely high volume of data, you might want to deploy multiple sensors with different configurations to split the traffic.

Placing Sensors Near Filtering Devices Ø After a sensor starts dropping packets, you will almost certainly experience more false positives and negatives. Ø If your external network sees extremely high volumes of traffic, consider putting a sensor outside the firewall that is tuned to identify only the most severe attacks, particularly flooding-type attacks meant to cause a denial of service for your Internet connectivity or firewall. Ø Use a second sensor inside your firewall to do more detailed analysis; this sensor should see a significantly smaller volume of data than the first sensor

Working with Encryption Ø When planning network IDS sensor placement, you must consider how to deal with encrypted network traffic, such as VPN connections. Ø IDS sensors certainly don't have the capability to decrypt traffic, but that's a good thing! If all the traffic on a certain network segment is encrypted, it still might be valuable to deploy a sensor to examine packet headers and look for unencrypted traffic. Ø To monitor the content of the traffic that was encrypted, you should deploy IDS sensors at the first point in the network where the decrypted traffic travels. Ø In addition, you should put host-based IDS software on the host decrypting the traffic because it's a likely target for attacks

Processing in High-traffic Situations Ø The amount of traffic that IDS sensors can process is dependent on many factors, including what product is being used, which protocols or applications are most commonly used, and for which signatures the sensors have been directed to look. Ø Therefore, no simple answers exist as to what volume of traffic any particular product can handle. Ø IDS sensors reach their capacity before firewalls do, primarily because IDS sensors do much more examination of packets than other network devices do.

Configuring Switches Ø If portions of your network that you would like to monitor are switched, then ensure that you configured your IDS sensors and switches appropriately. Ø Switches must have their spanning ports configured properly for network IDS sensors to see all the traffic passing through the switches. Ø This critical configuration has adversely affected many IDS deployments. A sensor that tries to monitor traffic on an improperly configured switch might see no traffic at all or it might see only parts of the traffic, such as only one side of two-way TCP connections, which is only marginally better than seeing nothing.

Using an IDS Management Network Ø To improve the security of your network IDS sensors, you might want to create a separate management network to use strictly for communication among IDS sensors, a centralized IDS data collection box, and analyst consoles. Ø In this model, each network IDS sensor has at least two network interface cards (NICs). One or more NICs sniff traffic from monitored networks as their sole function. Ø These NICs do not transmit traffic. Instead, the last NIC is connected to a separate management network, which is only used for transferring IDS data and configuration updates. This is also known as performing out-ofband management of the network IDS.

Using an IDS Management Network Ø By implementing such an architecture, you make it much more difficult for attackers to find and identify an IDS sensor because it will not answer requests directed toward its monitoring NICs. Ø Because the management NIC is on an isolated network, attackers shouldn't be able to reach it. Also, most monitoring NICs are pure sniffers and do not use an IP address. Ø If an IDS sensor uses an IP address and an attacker knows what that address is, the attacker could launch a Do. S against it so that it couldn't see her attacks, or she could otherwise try to hide or obfuscate her traffic from the sensor.

Using an IDS Management Network Ø Implementing a separate management network has other advantages. It isolates management traffic so that anyone else who is monitoring the same network doesn't see your sensors' communications. Ø It also prevents the sensors from monitoring their own traffic. A separate network might also be a good way to deal with potential problems related to passing sensor data through firewalls and over unencrypted public networks.

Maintaining Sensor Security Ø It's critical that you harden your IDS sensors to make the risk of compromise as low as possible. Ø If attackers gain control of your IDS, they could shut it off or reconfigure it so that it can't log or alert you about their activities. Ø Attackers might also be able to use your IDS to launch attacks against other hosts. Ø if attackers can get access to your IDS management network, they might be able to access all your sensors. Ø Maintaining the security of your sensors is key to creating a stable and valuable IDS solution.