Intrusion Prevention System (IPS) is a device that monitors the network traffic passing through it (inline) or given to it (promiscuous) and reacts based on predefined variables. Intrusion Detection Systems react but not in a invasive manner.. meaning they only can report or log activity. The purpose of this article is to serve as a strong maintenance reference and quick installation and configuration guide for IPS and intrusion detection systems. I’ll update this article so it won’t get “dated” so to speak. An intrusion prevention system (IPS) will try to prevent actions deemed malicious while an intrusion detection system (IDS) will only report them. This article can be used as a reference point or guide for both IPS and IDS systems. I’ll use the term IPS in most cases and will point out if IDS or IPS is or isn’t applicable to the information given. I’ll mention Cisco IPS and SNORT but this information can be used with just about any IPS or intrusion detection system sensor.
IPS installation guide
When installing your intrusion detection system IPS sensor you’ll want to look at several key factors before you begin. How to install intrusion detection systems is an art!
- What will your IPS or intrusion detection system be monitoring (network and fingerprint)
- Where are these assets located (choke points)
- Available resources (power and network)
Network and Fingerprint
What will the intrusion detection system be monitoring and/or protecting? List your valuable networked devices and if you have critical business systems such as server farms or databases these areas may warrant an individual sensor or signature subset particular to that area. Look for commonalities such as network addresses and in particular the operating systems or finger print used in that network or asset group.
In most cases your IPS needs to be placed in choke points or any area with a limited number of connections such as the network connection in-between your firewall and the next device leading into your inside network. You’ll also want the IPS to be placed in-between your un-secure areas like the DMZ and the trusted network. From my experience you’ll want to monitor inbound connection from the firewall to the IPS, any DMZ areas, and 1 or 2 subnets containing your largest number of “trusted” users. If you monitor all inside users you’ll be playing incident response cop cleaning up false positives etc all day where one large subnet of you inside “trusted” users will give you enough information to detect virus, malware and hacker activity without overloading your sensor or your brain. You could optionally add the other subnets later once your fine tuning is completed. In some cases your assets need to be protected by host based IPS or IDS software agents depending on where they live and how critical they are. If you have a large WAN with remote offices you’ll also want sensors placed at those boarder routers. If you don’t have choke points you can create choke points with the use of VLAN to better route and / or place traffic into segments. Monitoring traffic before it gets to your firewall is an option some companies take. This method will require a lot of fine tuning and false incident response.
Available resources such as rack space, power and network connectivity (some IPS sensors use many switch ports) usually are a first check but I thought I’d mention them here just incase these seemingly mundane details slipped your mind. Nothing like getting your sensors in place only to realize you don’t have available power or available switch ports to plug it into.
Bottom line the placement depends on the companies needs, budget and network topology. Keep your asset value, fingerprint, and choke point in mind when determining placement of intrusion detection system IPS sensors and you’ll be fine. Technicians in both security and network need to be involved with management when determining the placement of sensors. If you have any questions or comments please feel free to post them below.
Now read the IPS configuration Guide