IDS mailing list archives
Re: Help for placing IDS sensors
From: "Eric Hacker" <focus () erichacker com>
Date: Tue, 24 Apr 2007 07:40:18 -0400
Digvijay, If this is a new IDS build out and IDS is new to the organization, then you WILL make mistakes along the way. You should plan to deploy, learn, redeploy, learn, etc. So don't try too hard to get it right the first time, just get some deployed. You don't state what the reasons are for deploying IDS. This is critical to understanding the best locations. There is no one type of location that will be ideal for all needs. If the driving need is compliance of some sort, then its best to ask those who will be verifying the compliance what they will be looking for to validate the IDS deployment. Often, the answer is going to be, "Do you have IDS?", "Yes", "Good, ....". If that's the need, then it will be hard to justify the expense of monitoring the data generated by 20 or more sensors. Might as well save electricity and focus on only a few sensors so that the new staff can handle them. If one is buying many IDS sensors and not adding resources for their management and monitoring, might as well give up. To best cover a large network from internal threats, I'd start at the network layer with a behavioral IDS like Lancope, Mazu, or Arbor. The only way to get sensors to function "as perfect as inline" is to have them inline. There are those of us who might argue that inline is not perfect. For many threats, one would want to isolate the threat as close to the threat as possible, though one may initially detect the threat at some distance. Other applications are too critical to be taken out be an inline false positive. If one doesn't have a good idea what these applications are going in, then inline may be hazardous to one's employment. Those are all generalizations, I know. You may thing that your network diagram is specific, but I hope I've illustrated that the network is only a small part of the overall security monitoring strategy. The specific locations of sensors must be driven by that strategy for a successful IDS program. Regards, -- Eric Hacker, CISSP aptronym (AP-troh-NIM) noun A name that is especially suited to the profession of its owner I _can_ leave well enough alone, but my criteria for well enough is pretty darn high. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Help for placing IDS sensors star . gemini (Apr 23)
- RE: Help for placing IDS sensors Bob Buel (Apr 23)
- Re: Help for placing IDS sensors Eric Hacker (Apr 24)