Where on the Network Should the IDS Go?
Routers go between subnets. Firewalls are most commonly seen between a companys internal network and their Internet connection. What about IDS? The answer to this question depends on what you want to protect.
You would position an IDS anywhere on your network that you want to look for suspicious activity this includes both on the network and on individual hosts that may need more protection. For example, an IDS immediately inside your Internet firewall, but still outside the DMZ area (explained in section 18.104.22.168) will alert you before an attack takes place on your DMZ or internal network. The down side to placing an IDS so close to your Internet gateway is that hosts on the Internet tend to be probed quite a lot, and you may spend a great deal of time dealing with uneventful IDS alerts regarding things like network scans that didnt result in any further attempts to access to your resources.
In the case of a particularly sensitive business system, the administrators may want to build in as many layers of detection as possible, to enhance security, and IDSs may be located both on the network and on the host itself. The differences between host-based IDS and network-based IDS will be discussed in more detail in section 3.4.
At other times, you might position IDS in the DMZ between your companys external (Internet-connected) firewall and its internal (internal network-connected) firewall, to detect any unwanted traffic that got through the first firewall, or within the internal network itself, if youre more concerned about monitoring for intrusions into your internal network.
Think about positioning IDS the way youd think about positioning burglar alarm sensors. Perhaps you want motion-detectors within your yard, which turn on outside lights when movement is detected. But youd probably reserve the sensors which actually ring the alarm, for inside your home, near doors and windows lest you be awakened by loud beeping every time a dog runs across your front lawn, or you run down to the kitchen for a snack, in the middle of the night! Then, if you ran a Bed and Breakfast in your home and were concerned about security, you might place additional sensors in private areas of your home. Much like a company might run an IDS on their internal network NOT for the purpose of catching those who are outside trying to get in, but to monitor for suspicious activities by in-house personnel.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.