Sensor Deployment Considerations

Sensor Deployment Considerations

Extensive planning and preparation are required before deploying sensors on your internetwork. Until some auditing and planning are done, you can’t even be sure which sensors are needed. Before you can begin installing your sensors, you must first understand where and how your sensors should be installed. Consider the following factors when you plan the deployment strategy for your network sensors:

  • Network entry points

  • Network size and complexity

  • Amount and type of traffic to be monitored

While each network has its own characteristics and caveats, some common strategies have worked for other Security Engineers across many different and unique network infrastructures. The strategy you choose depends on what you want your intrusion detection system to accomplish. Some IDS systems allow sensors to manage perimeter devices such as routers and firewalls, while other IDS systems are engineered to be passive and only monitor the traffic and actions taking place on the network. Your security policy should dictate the strategy you’ll use in engineering your IDS environment and deciding on a sensor deployment strategy.

Network Entry Points

The sensor is designed to monitor all traffic crossing a given network segment. You must consider all external network connections and remote access points you want to protect. The four basic entry points to consider are illustrated in Figure 25-1. Each of the four network entry locations includes the following:

Click To expand
Figure 25-1: Sensor deployment at network entry points
  • Internet Connections

  • Extranets

  • Intranets

  • Remote Access

The most common sensor deployment location is between the trusted internal network and the Internet. As seen in Figure 25-1, sensor 1 is located between the trusted network and the Internet. This deployment strategy is referred to as perimeter protection and the sensor is commonly paired with one or more firewalls to enforce security policies.

Internet Perimeter Protection Deployment

Different strategies can be used when deploying sensors to monitor perimeter Internet connections. Sensors can be placed in front of a filtering router or a firewall, or they can be placed behind the filtering router or firewall. For the highest level of protection, multiple sensors can be used: one in front of the router/firewall and another behind the router/firewall. As always, advantages and disadvantages exist to each possible physical configuration.

Monitoring Unfiltered Traffic

The actual physical placement of the sensor is unimportant. What the sensors are monitoring and where the control interfaces are connected is what’s important. As seen in Figure 25-2, the sensor has been logically placed in front of the filtering router by connecting the monitoring interface between the ISP router and the filtering router. In this example, the outermost router is the filtering router/firewall. The sensor monitors all incoming and outgoing traffic, but inbound traffic from the Internet is monitored before it’s been filtered by the firewall. If you want (or need) to see all intrusion or denial of service (DoS) attempts before they’re filtered, you should consider this deployment strategy.

Click To expand
Figure 25-2: Sensor in front of a filtering device

Because the sensor is placed in front of the filtering device, it will monitor all inbound traffic, including traffic that might be dropped at the filtering device. Another weakness to this deployment strategy is internal network traffic isn’t monitored. Hackers could take advantage of this weakness and attack your network resources from an internal host, which would go undetected by the sensor placed in front of the filtering device.

Monitoring Filtered Traffic

Sensors can also be placed behind the filtering router or firewall. Figure 25-3 illustrates a common Internet connection where the sensor’s monitoring interface is located behind the filtering router. The control interface is connected to the filtering device to allow for device management. This deployment strategy is often called a firewall sandwich, because the sensor has an interface connected to the interior network and the control interface is connected to a firewall. Therefore, the firewall or filtering device is sandwiched between the sensors’ two interfaces. A firewall sandwich is the Cisco preferred deployment method of using CIDS sensors in conjunction with a firewall.

Click To expand
Figure 25-3: Sensor behind a filtering device

Placing a sensor’s monitoring interface behind a filtering router or firewall prevents the sensor from monitoring traffic the filtering router rejects. One disadvantage to this placement strategy is the sensor is unaware of any policy violations the filtering device stops. To compensate for this, your firewall or filtering router should have some mechanism to notify security personnel when security violations are attempted. To provide the highest level of protection, you can choose to have sensor’s located in front of and behind the filtering device.

Monitoring Both Filtered and Unfiltered Traffic

To create the highest security posture, you can install a sensor on the inside and the outside of your Internet filtering device. One sensor will monitor all incoming Internet traffic before being filtered and another sensor will monitor internal traffic, as well as all incoming filtered Internet traffic. The only disadvantage to this configuration is the cost associated with purchasing and managing the additional sensors.

Extranets’ Business Partner Networks

Many companies with medium-to-large networks have connections to their business partner networks. These connections include network extensions that connect to vendors, customer companies, and governmental agencies. You might or might not have control over the security policies implemented over these connections. Intruders could manipulate their way into your business partner’s networks, and then leverage those connections to compromise your network. In addition, you want to prevent anyone from using your network to attack your business partners. You should deploy sensors to monitor all incoming and outgoing traffic to all business partner networks.

Intranets’ Business Divisions

Many large corporations have a hierarchical network design consisting of many different divisional networks, all of which connect to a central corporate backbone. Sensors can be placed at these network boundaries to monitor traffic crossing from one divisional network to another. Different departments commonly have different security policies. For example, company A, an insurance company, could have many different departments with different security policies. The division of the company that processes medical records must adhere to strict governmental security policies, while company A’s billing department isn’t regulated and can have a less-strict security policy. Sensors can be placed between these two departments to validate that the proper security measures are in place.

Remote Access Networks

Most networks provide a mechanism that allows access to the company network for remote users. This remote access area represents another critical entry point into your network. Hackers will attempt to find and exploit any mechanisms that provide access into your protected network. Remote access networks and servers are a common target of intruders and many intrusions are initiated from these resources. You should monitor all remote access mechanisms, such as servers, VPNs, and dial-up accounts. Placing a sensor between the core network and the remote access network allows security administrators to view and monitor remote incoming traffic.

Network Size and Complexity

The larger and more complex your network, the more likely you’ll be forced to deploy multiple sensors throughout the internetwork. Some company departments manage their own Internet and business partner connections, as well as security policies. When the network and security management lacks central control, you’re forced to increase the number of sensor and director platforms to monitor your network threats properly. Thankfully, CIDS can be centrally or locally managed, but the more distributed the network, the higher the cost associated with protecting the entire network.

The Amount and Type of Traffic

While some models of the 4200 series network sensor appliance are capable of monitoring up to 500 Mbps, no sensors are capable of monitoring gigabit or multi-gigabit connections. Some network design changes may be required to allow for the inclusion of your intrusion detection system.

Part III: Virtual Private Networks (VPNs)