© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
remotely from a system in the internal network.
Part A of Figure 3 shows the IDS connected to either a hub or a switch capable
of configuring a SPAN port.
On some managed switches, a SPAN port can be
configured to send, “...all packets on the network to that port as well as their
ultimate destination” (Baker, 2004). With such a configuration, an IDS interface
being used to monitor traffic could be connected to a switch yet be able to see all
traffic passing through. A network hub intrinsically shares data passing through
itself to all of its ports such that any system connected to the hub can see all traffic
sourced from or destined to every other system connected to the hub.
Using a hub
may not be the best option since systems would be capable of intercepting traffic
not intentionally sent to them. When using either a hub or switch with SPAN port
capabilities, the systems on the internal network are not at the mercy of the IDS
having a system failure brining the network down. Making use of a hub or switch
SPAN port is a common method of connecting sensors.
The use of a network tap is represented in Part B of Figure 3, which essentially
replicates data passed through the wire. Network taps are not commonly found in
typical computer networks but may be purchased. Taps are handy when you need to
setup a hasty monitoring solution, perhaps to troubleshoot a problem or temporarily
deploy an IDS. Overall, a network tap is needed when the network does not have
managed switches, is not using hubs, or when putting an IDS inline is out of the
question.
Nicholas Pappas
17
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
The final portion, Part C near the bottom of Figure 3, illustrates an IDS
connected inline. This instance includes two connections, shown in red, with one
connected to the uplink port of the switch, and the second connected to the external
network.
In most cases, this is not the best method to use because system failure of
the IDS will prevent systems on the internal network from communicating with
external systems. Rarely is this an ideal outcome, either way it is certainly an option.
The benefit of the inline configuration is a guarantee all packets will be seen by the
IDS. Packets are subject to being missed when an IDS is connected to a switch SPAN
port, especially when that switch is busy processing a large burst of traffic.
Depending on the capability of an inline IDS, a similar burst may lead to congestion
of network throughput.
Utilizing a management interface is required if the analysis is to be done
remotely. It is possible to simply connect a keyboard and monitor directly to the IDS
and manage the system locally from its console. Whilst this may work for a small
office, in a large network this is typically not a viable option. The same applies for
an IPS which is covered in the following section.
