Having determined the locations on your network at which you want to install your Cisco IDS sensors, you must then decide the sensor configuration that you plan to use at each of these locations. The common installation configurations are as follows:
- Standalone sensor
- Device management
- Firewall sandwich
- Remote sensor
Standalone Sensor Configuration
In a standalone sensor configuration (see Figure 2), your sensor watches for intrusive traffic, but has limited capability to react to the attacks detected. It can perform IP Logging to capture a history of the intrusive traffic; and if the attack is TCP-based, then the sensor can generate TCP resets in an attempt to halt the intrusive activity. In the standalone configuration, the sensor usually communicates alarms and other information to the Director via a separate command and control network connection, as illustrated in Figure 2.
Figure 2 Standalone sensor configuration
Device Management Sensor Configuration
The standalone configuration is fairly limited in the response that it can take with respect to attacks against your network. A more robust configuration includes the device management sensor configuration. In this configuration (also known as IP blocking), your Cisco IDS sensor gains the capability to dynamically update an Access Control List (ACL) on your router to halt current and future attacks from the source IP address that is attacking your network. In this configuration (illustrated by Figure 3), your Cisco IDS sensor detects attacks against your network, and generates alarms based on the attack signatures that are observed. If any of these signatures is configured for IP Blocking, then the sensor telnets into the router to automatically block the offending host by updating the ACL.
Figure 3 Device management sensor configuration
Firewall Sandwich Sensor Configuration
Network administrators typically use firewalls to protect the perimeters of their networks. These firewalls are used to limit the flow of traffic into and out of your protected network. Therefore, placing a sensor to monitor the traffic attempting to gain access to your protected network makes perfect sense. It also eliminates the need to use two interfaces on the router when device management is used. This is the preferred Cisco IDS sensor installation configuration.
When deploying a sensor in conjunction with a firewall, you can create what is commonly called the firewall sandwich sensor configuration. In this configuration (see Figure 4), the Cisco IDS sensor is watching traffic on the outside of the firewall. The command and control interface is connected to either the internal firewall network or a DMZ network on the firewall, with the firewall being sandwiched in the middle. When attacks are detected, the sensor can telnet out through the firewall to perform IP blocking on the router located outside of the firewall.
Figure 4 Firewall sandwich sensor configuration
Remote Sensor Configuration
The final sensor configuration that we will examine is known as the remote sensor configuration. In this configuration, you need to operate a sensor on a remote network. This means that you must protect the traffic from the sensor as it travels to the Director because the traffic will be traveling over an untrusted network. A common way to accomplish this goal is to establish a Virtual Private Network (VPN) across the untrusted network (see Figure 5). The VPN protects all of the communication between the sensor and the Director.
Figure 5 Remote sensor configuration