Cisco IDS sensors form the eyes and ears of your Cisco network intrusion detection system. Placing sensors correctly throughout your network is crucial to successfully implementing your Cisco intrusion detection system. Before deploying your sensors, however, you must thoroughly understand your network topology, as well as the critical systems on your network that attackers will attempt to compromise. Even after you have identified the locations on your network where you plan to deploy your sensors, you still need to decide on how to configure these sensors to maximize their effectiveness toward protecting your network.
Analyzing Your Network Topology
Before you can even begin to start deciding where to deploy Cisco IDS sensors on your network, you must analyze your network topology. Some of the key factors to consider when conducting this analysis are the following:
- Internet entry/access points
- Extranet entry points
- Remote access
- Intranet separation
Almost all networks provide some type of connectivity to the Internet. This connectivity, however, is also a prime target for millions of potential attackers. Therefore, the first place that you should protect with your Cisco IDS is your organization's Internet connection. When analyzing connections with the Internet, it is easy to stop at the main Internet access point. To correctly protect your network, however, you need to make sure that you identify all possible Internet connections.
Once you have identified your Internet entry points, you need to determine connections that you have with other organizations. These connections are sometimes referred to as extranet connections. These connections are usually associated with business partners or other organizations that your organization needs to communicate with on a regular basis. These connections open up your network to attack via the organizations that you conduct business with. It also opens up the possibility that an attacker can attack these organizations via your network, which opens up many interesting legal issues.
More and more employees are starting to telecommute. Furthermore, more employees also need to maintain access to their local networks when they are traveling. Both of these situations require you to establish some form of remote access capability on your network. Remote access, however, is another prime target for attackers. Mapping out all of your remote access entry points into your networks is vital to successfully securing your network against attack. This includes all modems connected to your network.
The final area that you need to analyze on your network topology deals with internal separation points. Most organizations are divided into multiple departments. Each of these departments probably shares some common servers, such as DNS and email. Similarly, these organizations usually utilize some departmental servers that should be accessed only by specific users. To enforce your organization's security policy, you must clearly understand where these departmental boundaries lie. Furthermore, you must clearly understand what traffic is allowed and what traffic is not allowed to cross these internal barriers.
Critical Components
After you have analyzed your network topology, you should have a clear understanding of how an attacker can gain access to your network (both internal and external attackers). The next thing that you need to do is define the critical components on your network. These systems represent highly prized targets for an attacker.
Servers
Although every network is unique, there are some common categories of critical machines that you can start with in analyzing your specific network. The first category is servers. Every network has a multitude of different servers. Some common examples include Mail servers, DNS servers, DHCP servers, NFS servers, and Web servers.
Infrastructure Components
The second category of critical systems is your infrastructure components. These components include your routers and switches. These devices enable the hosts on your network to communicate with each other. By gaining control of any of your infrastructure components, an attacker can severely disrupt the operation of your network.
Security Components
A final category of devices includes the security components that protect your network. These components include devices such as firewalls and IDS components. Because these devices are used to protect your network from attack, they need to be thoroughly hardened against attacks. If an attacker can compromise any of the devices protecting your network, it is difficult to prevent him from compromising others' systems on the network as well.
Sensor Placement
First, you analyzed the topology of your network to understand the paths that an attacker can use to gain access to your network. Then you identified critical components because they will probably be targeted by many of the attacks against your network. Now it is time to consider where you need to place Cisco IDS sensors on your network to watch for potential hostile activity. To provide thorough IDS coverage of your network, you need to watch for intrusive activity at all of the common functional boundaries on your network. Figure 1 illustrates a typical network configuration.
){kind=link}
Figure 1 Typical network configuration
Examining Figure 1, you can see that the major areas that you need to consider placing IDS sensors are:
- Perimeter protection
- Extranets
- Remote access
- Intranets
Sensors 1 and 2 in Figure 1 are watching the perimeter of the network. Usually, this perimeter is protected by a firewall. Therefore, Sensor 1 is located outside the firewall so that it can monitor all the attacks that are launched against your network from the untrusted network. Sensor 2 is also watching for attacks against your network from the untrusted network. However, it will only observe attacks that have successfully penetrated the firewall.
Sensor 3 in Figure 1 is positioned to monitor the traffic between the protected network and a business partner's network. Any attacks originating from your business partner (or launched from your network) will be observed by this sensor. Sensor 4 provides this same protection, but for traffic originating from your remote access users.
Sensors 5 and 6 in Figure 1 illustrate the way IDS sensors can be used to monitor the flow of traffic between different internal groups on the network. Sensor 5 is protecting the Engineering network, whereas Sensor 6 is protecting the Finance network.
Installation Configurations
Having determined the locations on your network at which you want to install your Cisco IDS sensors, you must then decide the sensor configuration that you plan to use at each of these locations. The common installation configurations are as follows:
- Standalone sensor
- Device management
- Firewall sandwich
- Remote sensor
Standalone Sensor Configuration
In a standalone sensor configuration (see Figure 2), your sensor watches for intrusive traffic, but has limited capability to react to the attacks detected. It can perform IP Logging to capture a history of the intrusive traffic; and if the attack is TCP-based, then the sensor can generate TCP resets in an attempt to halt the intrusive activity. In the standalone configuration, the sensor usually communicates alarms and other information to the Director via a separate command and control network connection, as illustrated in Figure 2.
){kind=link}
Figure 2 Standalone sensor configuration
Device Management Sensor Configuration
The standalone configuration is fairly limited in the response that it can take with respect to attacks against your network. A more robust configuration includes the device management sensor configuration. In this configuration (also known as IP blocking), your Cisco IDS sensor gains the capability to dynamically update an Access Control List (ACL) on your router to halt current and future attacks from the source IP address that is attacking your network. In this configuration (illustrated by Figure 3), your Cisco IDS sensor detects attacks against your network, and generates alarms based on the attack signatures that are observed. If any of these signatures is configured for IP Blocking, then the sensor telnets into the router to automatically block the offending host by updating the ACL.
){kind=link}
Figure 3 Device management sensor configuration
Firewall Sandwich Sensor Configuration
Network administrators typically use firewalls to protect the perimeters of their networks. These firewalls are used to limit the flow of traffic into and out of your protected network. Therefore, placing a sensor to monitor the traffic attempting to gain access to your protected network makes perfect sense. It also eliminates the need to use two interfaces on the router when device management is used. This is the preferred Cisco IDS sensor installation configuration.
When deploying a sensor in conjunction with a firewall, you can create what is commonly called the firewall sandwich sensor configuration. In this configuration (see Figure 4), the Cisco IDS sensor is watching traffic on the outside of the firewall. The command and control interface is connected to either the internal firewall network or a DMZ network on the firewall, with the firewall being sandwiched in the middle. When attacks are detected, the sensor can telnet out through the firewall to perform IP blocking on the router located outside of the firewall.
){kind=link}
Figure 4 Firewall sandwich sensor configuration
Remote Sensor Configuration
The final sensor configuration that we will examine is known as the remote sensor configuration. In this configuration, you need to operate a sensor on a remote network. This means that you must protect the traffic from the sensor as it travels to the Director because the traffic will be traveling over an untrusted network. A common way to accomplish this goal is to establish a Virtual Private Network (VPN) across the untrusted network (see Figure 5). The VPN protects all of the communication between the sensor and the Director.
){kind=link}
Figure 5 Remote sensor configuration
Summary
Your Cisco IDS uses sensors to monitor your network for signs of intrusive activity. Understanding where to install your Cisco IDS sensors requires a thorough understanding of your network topology, as well as your critical systems. You must choose an installation configuration for each of your Cisco IDS sensors to provide the level of protection that your network demands. After following all of these steps, however, your Cisco IDS will be able to effectively monitor your entire network for intrusive activity.