IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help for placing IDS sensors

From: "Eric Hacker" <focus () erichacker com>
Date: Tue, 24 Apr 2007 07:40:18 -0400
Digvijay,

If this is a new IDS build out and IDS is new to the organization,
then you WILL make mistakes along the way. You should plan to deploy,
learn, redeploy, learn, etc. So don't try too hard to get it right the
first time, just get some deployed.

You don't state what the reasons are for deploying IDS. This is
critical to understanding the best locations. There is no one type of
location that will be ideal for all needs.

If the driving need is compliance of some sort, then its best to ask
those who will be verifying the compliance what they will be looking
for to validate the IDS deployment. Often, the answer is going to be,
"Do you have IDS?",  "Yes",  "Good, ....". If that's the need, then it
will be hard to justify the expense of monitoring the data generated
by 20 or more sensors. Might as well save electricity and focus on
only a few sensors so that the new staff can handle them.

If one is buying many IDS sensors and not adding resources for their
management and monitoring, might as well give up.

To best cover a large network from internal threats, I'd start at the
network layer with a behavioral IDS like Lancope, Mazu, or Arbor.

The only way to get sensors to function "as perfect as inline" is to
have them inline. There are those of us who might argue that inline is
not perfect. For many threats, one would want to isolate the threat as
close to the threat as possible, though one may initially detect the
threat at some distance. Other applications are too critical to be
taken out be an inline false positive. If one doesn't have a good idea
what these applications are going in, then  inline may be hazardous to
one's employment.

Those are all generalizations, I know. You may thing that your network
diagram is specific, but I hope I've illustrated that the network is
only a small part of the overall security monitoring strategy. The
specific locations of sensors must be driven by that strategy for a
successful IDS program.

Regards,
--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: