SQL Server Magazine

In "Protect Your Network from Intrusion," May 2002, InstantDoc ID 24650, I discuss the value of a network Intrusion Detection System (IDS) as part of a multilayered approach to network protection. For your network IDS to be effective, you must place the system's sensors where they can best contribute to your network's security. In addition, you must manage your network IDS, fine-tuning the sensors' alerts and monitoring the data that the sensors provide. When you correctly deploy a network IDS, you gain not only an early warning system but also a deterrent to attackers.

Placing Your Network IDS
As you prepare to deploy your network IDS, you need to know your network's architecture so that you can place the network IDS sensors effectively. Sensor placement is a key factor in your IDS's ability to protect your network from invasion. Let's approach the subject of placement by first reviewing how traffic comes into your network.

Traffic from the Internet enters your network through a router. At best, the router applies an initial set of filters before it lets traffic through. Although ordinary router operation doesn't require setting up such filters, security experts recommend doing so. Router filtering acts as a first layer of defense, keeping out risky connections such as broadcast Internet Control Message Protocol (ICMP) and reserved addresses. (ICMP is the basis for Smurf attacks, which use ping messages and the target's IP broadcast address to flood a target's Internet access link; Internet Engineering Task Force—IETF—Request for Comments—RFC—1918 specifies that reserved addresses aren't meant to be on the Internet or to be routed.) You can also filter outbound traffic to prevent compromised servers from sending connections to other networks.

Figure 1 shows a network IDS set up at a corporate perimeter. Although the diagram is simplified for this discussion, you can see how such a setup can dramatically enhance border security. I recommend that you use at least two sensors and place them so that they give your network two layers of defense and give you comparative information with which you can verify your firewall settings. In the material that follows, I show you how the two sensors increase your network protection. You need at least two distinct points of reference to assess the completeness of your security perimeter.

Generally, IDS sensors have two network interfaces—one for monitoring traffic and one for management. The traffic-monitoring interface is unbound from any protocol, which means that the interface has no IP address and other entities can't communicate with it. (For information about how machines communicate with each other and what "promiscuous mode" means for your network interface, see "Protect Your Network from Intrusion.") When two machines on a nonswitched Ethernet segment want to communicate with each other, all computers on that network hear the request but ignore it unless it's destined for them. When you place your NIC in promiscuous mode, your IDS sensors actively listen to and act upon network traffic. Network sniffers and IDSs look at, record, or act upon all the network traffic they can see, regardless of the destination (unless you've told them to ignore all but some specific traffic).

Placing the outer sensor. If you examine the diagram that Figure 1 shows, you see that the first checkpoint for data coming into the network is an Ethernet switch to which you attach your first-level firewall. You can mirror the port that the firewall uses, through which all inbound and outbound packets pass, to the Switched Port Analyzer (SPAN) port, an excellent place to attach your first network IDS (the upper line in red). By placing the sensor on a SPAN port rather than on a hub or on a Virtual LAN (VLAN) with the firewall, you can reduce attackers' potential abuse of the sensor. Although the port the sensor uses has no protocol attached to it and an attacker can't directly address it, you can experience problems with an incorrectly installed or misconfigured sensor. Placing the sensor on the SPAN port should eliminate most of the downside because the port simply mirrors another port and a broken sensor won't offer potential attackers a foothold. (For more about VLANs and the potential complications involved in securing them, see "Protect Your Network from Intrusion." Also see the VLAN Technical Brief at http://www.intel.com/network/connectivity/resources/doc_library/tech_brief/virtual_lans.htm.)

The outer sensor monitors "barbarians at the gate," helping you gauge the external risk at any given time and also providing troubleshooting assistance. The outer sensor lets you see what traffic is passing. Keep in mind that your security won't stop attempted attacks or probes, but you will want to measure the number of attempted attacks (events) and actual attacks (incidents). Understanding what occurs before traffic reaches your firewall helps you see how well your access control works. The external sensor can record that information for you. In the form of sensor logs and alerts, the external sensor provides your second level of defense (after router filtering) and a comparison point for the inner sensor. You can also use sensor information to adjust your firewall policy settings.

Looking again at Figure 1, you can see that the management interface (the black line to the left of both sensors) connects to an out-of-band (OOB) network that isn't quite a demilitarized zone (DMZ) or the core network. An OOB network provides a segregated area in which administrative and monitoring functions can take place without compromising that traffic or the core internal network. On the OOB network, you perform firewall and sensor administration, store your Syslog repository, and generally manage the perimeter infrastructure.

   Prev. page   [1] 2 3     next page