Placing Sensors Based on Network and Services Function

Placing Sensors Based on Arrangement and Casework Function

With abstruse changes and new threats, the adjustment of advance apprehension systems has acquired over time. Initially, IDSs were about deployed alone at the Internet ingress/egress point, alfresco the aggregation firewall. With the compassionate that conceivably best awful action emanates from aural an organization, this admission accepted bare in ecology all aegis threats. Now, with cost-effective, added avant-garde administration techniques and software, an added cardinal of IDSs can about be supported.

Note

When agreement an IDS, don't balloon to accede how to affix to the accessories for administration purposes already they are placed in the network. Aegis architects should architectonics and body able and reliable networks over which to administer the aegis infrastructure.

With the Cisco IDSM sensor modules and 4250 XL sensors, it is about attainable to abode IDS in amount arrangement environments. In abounding ways, this makes acceptable sense, aback a lot of cartage traverses the amount arrangement in abounding arrangement architectures and it is artlessly not achievable to position IDS in every administration and/or admission device. If the IDS deployed in an alignment can handle the amount arrangement speeds, it is about recommended to abode accessories there.

IDSs should additionally be positioned abreast the areas advised as analytical in the antecedent steps. This may beggarly that IDSs are deployed on DMZs, aloft or beneath firewalls, and abreast addition arrangement admission locations such as RAS or WAP segments. Let's attending at a brace examples that allegorize the adjustment of an IDS.

Case Study 1: Baby IDS Deployment

Our aboriginal archetype (Figure 2.3) involves the Nittany Corporation, who has a baby centralized arrangement and a server acreage DMZ that houses all internally and evidently accessed services. The alignment relies heavily on its e-commerce web armpit and e-mail server for business success.

Click To expand

Figure 2.3: Simple IDS Deployment

After absolutely investigating the arrangement architecture, the aegis ambassador knows that a lot of potentially alarming arrangement cartage flows from the Internet to the DMZ. She makes this arrangement her aboriginal antecedence for IDS. She additionally knows that the web and e-mail servers are absolutely analytical to business, so she chooses to arrange host sensors on these servers for added appliance band protection. Finally, the aegis ambassador knows, based on firewall alerts and log files, that a lot of attacks are directed appear the centralized arrangement of her company.

The Nittany Aggregation is small, however, and is belted to a adequately bound budget. Thus, it cannot allow assorted IDS sensors.

While the primary absorbed of the IDS deployment may be to aegis the company's analytical servers, the aggregation can get the added allowances of multinetwork advantage by selecting the Cisco 4215 IDS Sensor. By appliance the alternative 10/100Base-TX interfaces, the aegis ambassador can accompanying adviser the external, internal, and DMZ networks as credible earlier. Aback the 4215 is able of assuming at 80 Mbps, it is a acceptable choice—the company's centralized arrangement is alone 100 Mbps and the bifold Internet admission board almost 3 Mbps best accumulated throughput.

Furthermore, because she's called to install Cisco Host IDS sensors on the analytical servers, the Nittany Corporation will accept added aegis at the account endpoints operating systems and at the appliance layer.

From a amount perspective, this band-aid allows the aggregation to arrange IDS in assorted arrangement segments after the amount of added IDS sensors.

Case Study 2: Circuitous IDS Deployment

The added archetype involves a larger, added circuitous arrangement and casework ambiance with aerial bandwidth requirements. In this example, the ACME Aggregation is a ample aegis appliance alignment with a address campus arrangement and alien offices in seven cities. While anniversary breadth has its own aegis infrastructure, address contains best internally and evidently approved services. Arrangement and casework operations are centrally managed from the address office.

As a consultant, you accept been asked to analysis the ACME Aggregation aegis attitude with specific commendations to Advance Detection. ACME has a actual bound deployment of IDS, but, because of contempo hacking and bastard advance problems, seeks to arrange an enterprise-wide IDS solution.

So, breadth do you start? Based on what we've discussed so far, you should bethink that able deployment of Cisco IDS sensors involves, at a minimum, three accomplish as follows:

1.

Compassionate and allegory the network

2.

Identifying the analytical basement and services

3.

Agreement sensors based on arrangement and casework functions

You should additionally bethink the Cisco AVVID and SAFE advice from Chapter 1. Your aboriginal footfall is to map the arrangement to accept how routing, switching, and cartage breeze occurs in the ACME Company. While you're drawing, you add the SAFE modular architectonics to the map for reference.

Note

To abridge the arrangement map, some SAFE modules are accumulated breadth attainable in Figure 2.4.

Click To expand

Figure 2.4: Circuitous IDS Deployment Arrangement Map

When finished, your map should attending like Figure 2.4.

In your research, you actuate ACME is appliance BGP in the Corporate Internet Bore to board bombastic and load-balanced admission to the Internet. You additionally apprehend that, internally, ACME uses OSPF and routes bottomward to the Administration Cisco 4503 switches in the Architectonics Administration and Bend Modules. It's important to agenda that OSPF and BGP are accouterment active/active arrangement connectivity breadth attainable aback this can agitate an IDS, as we've ahead discussed. Use the alien offices avenue into the Campus Amount for connectivity.

The abutting footfall is to actuate the analytical casework and appliance band flows beyond the network. From Figure 2.4, it's credible that the E-Commerce and VPN/RAS Bore contains Internet attainable services. A lot of analytical services, such as DNS, E-mail, and E-commerce web sites are amid in this bore and, therefore, crave added security. VPN and alien admission casework are provided in this bore as well. There's additionally an centralized server acreage in the Server and Administration Module. Aback abounding of the arrangement administration systems (NMS), databases, and added analytical applications abide here, it's important to assure this breadth as well. Finally, you've fabricated agenda of the wireless admission that ACME has afresh installed in anniversary building. To ensure aegis in the wireless deployment, they board force audience to accredit and adit wireless admission to the VPN concentrator in the Server and Administration Module.

So, now that you've acquired a acceptable acknowledgment for the arrangement and analytical casework at the ACME Company, it's time to actuate breadth the best locations are for an IDS. In your discussions with ACME managers, you've bent that budget, while not infinite, apparently won't be a absorbed agency in your design. Based on the SAFE architecture, you accept to focus on arrangement areas added than the administration and bend networks.

Let's accept a attending at your IDS accomplishing by absorption on anniversary breadth in which you've called to abode IDS. The Server and Administration Bore is credible in Figure 2.5.

Click To expand

Figure 2.5: Server and Administration Bore IDS

The Account and Administration Bore is an capital allotment of the arrangement to protect. Therefore, you've absitively to install the Cisco Host IDS sensor on the analytical servers. You'll additionally charge to audit the cartage advancing and activity from the SAFE module. Don't balloon that it includes VPN cartage from all of your wireless audience in the admission band of the network. Because this allotment of the arrangement has high-bandwidth requirements, you baddest the Cisco 4250 XL Sensor, which provides gigabit performance, to audit traffic. Finally, this is the arrangement from which you'll be managing the absolute Cisco-based IDS infrastructure. Because you're alive in an enterprise-sized arrangement with assorted IDS sensors, you baddest CiscoWorks VMS, which will board administration capabilities for all your IDSs. For anniversary IDS deployment, you'll configure the Control and Reporting IDS sensor interface in a clandestine VLAN that communicates deeply aback to the VMS server.

Note

As ahead discussed, the baffled ambiance in the ACME Aggregation provides for active/active arrangement breeze beyond bombastic platforms. To board this design, IDSs charge appropriate accoutrement at the about-face so that they may audit cartage abounding beyond either of the ingress/egress paths. This could be able via trunks configured amid the about-face accessories over which RSPAN abstracts is shared.

Like the Casework and Administration Module, the E-Commerce and VPN/RAS Bore contains analytical servers and casework that crave added aegis protection. It's additionally a accelerated arrangement environment, with gigabit absorbed servers and switching devices. This blazon of accretion ambiance requires a agnate band-aid to that in the Casework and Administration Module. You amount servers with the Cisco Host IDS software and install addition Cisco 4250XL Sensor affiliated to the Cisco 4503 switches. This way, you'll be able to audit cartage at speeds of up to 1 Gbps and you'll accept host-based analysis and aegis for your servers. The E-Commerce and VPN/RAS Bore is credible in Figure 2.6.

Click To expand

Figure 2.6: E-Commerce and VPN/RAS Bore IDS

So far, you've done a acceptable job of attention the casework in the organization. But what about the aegis of the users and accepted arrangement infrastructure? As we discussed earlier, the SAFE architectonics doesn't accommodate IDS at the administration and bend networks. So breadth is a acceptable breadth to audit user traffic? Aback the ACME Aggregation uses the Cisco 6506 about-face belvedere in the core, you can best acceptable arrange the Cisco IDSM-2 Bore in the 6506 chassis. This accommodation will depend on the interface speeds and appliance of the Amount switches. If you're appliance beneath than 1 Gbps, the IDSM-2 Bore will assignment well. Again, the active/active arrangement architectonics in the amount is article you'll charge to consider. Like the added modules we've discussed so far, you'll charge article like RSPAN to barter cartage amid the amount switches. This will ensure your IDS can audit absolute arrangement flows, behindhand of which arrangement accessory they traverse. The Amount Bore is credible in Figure 2.7.

Figure 2.7: Amount Bore IDS

Now the ACME Enterprise appears to be defended on the inside. Don't balloon about the advanced door! Of course, you've advised that as well. The ACME Aggregation currently has two internet admission to two altered ISPs for redundancy. They're advantageous to accept Ethernet handoffs to their providers and use BGP attributes to administer arrangement cartage appropriately beyond the 10- and 100-Mbps connections. Aback the bombastic PIX firewalls are operating in an active/passive mode, all cartage will bisect the alive firewall beneath accustomed circumstances. Your IDS, therefore, can be implemented aloft the alive PIX, but will become abortive if the PIX firewalls fail-over. Again, you could use the RSPAN band-aid discussed previously.

The ISP admission are aerial speed, but not so fast as the centralized networks. Based on this information, accept the Cisco 4235 IDS Sensor aback it will accomplish at speeds up to 250 Mbps and will calmly abutment the best accumulated affiliation acceleration of 110 Mbps. You position these sensors aloft the firewalls (and possibly aloft the baffled interface on the Cisco 4503 switches) to audit all cartage to and from the ACME Company.

The Corporate Internet Bore is depicted in Figure 2.8.

Click To expand

Figure 2.8: Corporate Internet Bore IDS

Finally, you apprehend that one actual ingress/egress point exists in the ACME network, the frame-relay links to the seven alien appointment locations. Anniversary appointment is configured actual similarly, so you can architectonics the alien appointment band-aid already and carbon it to anniversary site. Luckily, the alien sites already anniversary accept a Cisco 3640 router that provides WAN connectivity aback to the ACME amount arrangement Cisco 6506 switches. It makes faculty again to apparatus the Cisco IDS Bore for the 3600 alternation router. With this module, you'll be able to board IDS casework in anniversary alien breadth after acute added arbor space, cabling, or power, aback the bore inserts anon into the 3640 chassis. The Alien Armpit IDS band-aid is depicted in Figure 2.9.

Click To expand

Figure 2.9: Alien Armpit IDS

At this point, the ACME Aggregation appears to accept a adequately absolute IDS architecture. What added locations in the arrangement would be acceptable candidates for IDS? What processes should you use to tune the IDS infrastructure? What added aegis accessories could be deployed to access the aegis of the ACME network? Finally, how do we absolutely administer all of these aegis devices? These are all accomplished questions and accompany us aback to the Cisco Aegis Wheel concepts we discussed in Chapter 1. As a aegis professional, you charge to accede how policy, monitoring, response, testing, and administration all tie into your IDS deployment.