It all
depends how many sensors you will be able to purchase or have the hardware to
install, in addition to what you want to protect. There are many schools
of thought on this, but you should simply have it sniff all traffic immediately
before and/or after your firewall. Sometimes it is good to use the
firewall to screen out all the 'garbage' that an external IDS would pick up, at
the same time you may want to protect your firewall itself. I guess it
also depends on which product you are using as well, whether it be a fabulous
and free IDS such as SNORT or an ISS RealSecure enterprise class type
product. They may be better put to use in different ways. We usually
like to put our first one on the outside and second one right on the inside of
the firewall. The amount of traffic is also an determining factor
here. You may be able to get away with putting a single network sensor
(NIDS) that will sniff ALL traffic on all VLANs and networks inside your
firewall.
Like I
said, it all depends on what you are trying to protect and exactly who your
threat model says your real enemy is.
The OS
sensors should go on your most critical systems.
Also
keep in mind that all of this 'stuff' is only as good as the personnel you have
watching, monitoring, and responding to it's cries.
Jarrett
We have the following topology:
LAN
SWITCH----------FW-1---------CISCO3620
NO DMZ.
where should I install the network sensors and OS
sensors?
Thanks
|