© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Strategic placement of the monitoring systems is crucial. If you are trying to
capture traffic local to your network, you may be missing it if you put it at the
network's border. Likewise if you only have one monitoring system, and more than
one connection linking your local area network to external networks.
One important
network device you should be mindful of when selecting the optimal placement of
your IDS or IPS is a Virtual Private Network (VPN) concentrator. As traffic travels
through a VPN tunnel, it is encrypted and the IDS or IPS will not be capable of
conducting adequate analysis.
There are an increasing number of methods to evade intrusion detection.
While network intrusion detection and prevention systems are adapting to an ever
changing environment, the methods of evasion are as well. We must keep this in
mind when making a judgment call with respect to detecting an intrusion. One
should not rely too heavily on IDS or IPS logs. Feeling overly confident an intrusion
was avoided simply because such activity was not logged may be a costly mistake.
On the other hand, assuming the IDS or IPS is correctly classifying “malicious” traffic
when in fact the traffic is legit should be avoided as well.
Having an analyst skilled
in decoding packets will help minimize these mistakes (packet decoding is
introduced in the SANS Security Essentials curriculum). In short, having too much
trust in any single security product is a recipe for failure.
In conclusion, deploying systems designed to monitor network activity will
bring about more awareness of the very nature in how the respective network
Nicholas Pappas
31
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
behaves, and what threatens its intended function. There is certainly not a shortage
of malicious traffic being transmitted across the Internet. Having a firewall at the
edge of a network is a nice piece of hardware to have protecting internal networks.
However, in information security there are no silver bullets.
Network firewalls not
withstanding. It is crucial to have a layered preventive strategy. Defense in depth is
the only reasonable tactic with such adaptable threats being constantly presented to
information systems.
Nicholas Pappas
32
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
