Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Network Entry Points

Network Entry Points

Feb 26,2010 by alperen

small font medium font large font
image

The sensor is designed to monitor all traffic crossing a given network segment. You must consider all external network connections and remote access points you want to protect. The four basic entry points to consider are illustrated in Figure 25-1. Each of the four network entry locations includes the following:

Click To expand
Figure 25-1: Sensor deployment at network entry points

  • Internet Connections

  • Extranets

  • Intranets

  • Remote Access

The most common sensor deployment location is between the trusted internal network and the Internet. As seen in Figure 25-1, sensor 1 is located between the trusted network and the Internet. This deployment strategy is referred to as perimeter protection and the sensor is commonly paired with one or more firewalls to enforce security policies.

Internet Perimeter Protection Deployment

Different strategies can be used when deploying sensors to monitor perimeter Internet connections. Sensors can be placed in front of a filtering router or a firewall, or they can be placed behind the filtering router or firewall. For the highest level of protection, multiple sensors can be used: one in front of the router/firewall and another behind the router/firewall. As always, advantages and disadvantages exist to each possible physical configuration.

Monitoring Unfiltered Traffic

The actual physical placement of the sensor is unimportant. What the sensors are monitoring and where the control interfaces are connected is what’s important. As seen in Figure 25-2, the sensor has been logically placed in front of the filtering router by connecting the monitoring interface between the ISP router and the filtering router. In this example, the outermost router is the filtering router/firewall. The sensor monitors all incoming and outgoing traffic, but inbound traffic from the Internet is monitored before it’s been filtered by the firewall. If you want (or need) to see all intrusion or denial of service (DoS) attempts before they’re filtered, you should consider this deployment strategy.

Click To expand
Figure 25-2: Sensor in front of a filtering device

Because the sensor is placed in front of the filtering device, it will monitor all inbound traffic, including traffic that might be dropped at the filtering device. Another weakness to this deployment strategy is internal network traffic isn’t monitored. Hackers could take advantage of this weakness and attack your network resources from an internal host, which would go undetected by the sensor placed in front of the filtering device.

Monitoring Filtered Traffic

Sensors can also be placed behind the filtering router or firewall. Figure 25-3 illustrates a common Internet connection where the sensor’s monitoring interface is located behind the filtering router. The control interface is connected to the filtering device to allow for device management. This deployment strategy is often called a firewall sandwich, because the sensor has an interface connected to the interior network and the control interface is connected to a firewall. Therefore, the firewall or filtering device is sandwiched between the sensors’ two interfaces. A firewall sandwich is the Cisco preferred deployment method of using CIDS sensors in conjunction with a firewall.

Click To expand
Figure 25-3: Sensor behind a filtering device

Placing a sensor’s monitoring interface behind a filtering router or firewall prevents the sensor from monitoring traffic the filtering router rejects. One disadvantage to this placement strategy is the sensor is unaware of any policy violations the filtering device stops. To compensate for this, your firewall or filtering router should have some mechanism to notify security personnel when security violations are attempted. To provide the highest level of protection, you can choose to have sensor’s located in front of and behind the filtering device.

Monitoring Both Filtered and Unfiltered Traffic

To create the highest security posture, you can install a sensor on the inside and the outside of your Internet filtering device. One sensor will monitor all incoming Internet traffic before being filtered and another sensor will monitor internal traffic, as well as all incoming filtered Internet traffic. The only disadvantage to this configuration is the cost associated with purchasing and managing the additional sensors.

Extranets’ Business Partner Networks

Many companies with medium-to-large networks have connections to their business partner networks. These connections include network extensions that connect to vendors, customer companies, and governmental agencies. You might or might not have control over the security policies implemented over these connections. Intruders could manipulate their way into your business partner’s networks, and then leverage those connections to compromise your network. In addition, you want to prevent anyone from using your network to attack your business partners. You should deploy sensors to monitor all incoming and outgoing traffic to all business partner networks.

Intranets’ Business Divisions

Many large corporations have a hierarchical network design consisting of many different divisional networks, all of which connect to a central corporate backbone. Sensors can be placed at these network boundaries to monitor traffic crossing from one divisional network to another. Different departments commonly have different security policies. For example, company A, an insurance company, could have many different departments with different security policies. The division of the company that processes medical records must adhere to strict governmental security policies, while company A’s billing department isn’t regulated and can have a less-strict security policy. Sensors can be placed between these two departments to validate that the proper security measures are in place.

Remote Access Networks

Most networks provide a mechanism that allows access to the company network for remote users. This remote access area represents another critical entry point into your network. Hackers will attempt to find and exploit any mechanisms that provide access into your protected network. Remote access networks and servers are a common target of intruders and many intrusions are initiated from these resources. You should monitor all remote access mechanisms, such as servers, VPNs, and dial-up accounts. Placing a sensor between the core network and the remote access network allows security administrators to view and monitor remote incoming traffic.


591 times read

Related news
» The IDS MC and Sensors
by admin posted on Nov 26,2008
» Sensor Deployment Considerations
by alperen posted on Feb 26,2010
» Setting Up Sensors and Sensor Groups
by admin posted on Nov 26,2008
» Sensor Installation and Configuration Overview
by alperen posted on Feb 26,2010
» Sensor Installation
by alperen posted on Mar 10,2010
Did you enjoy this article?
1 2 3 4 5
Rating: 4.00Rating: 4.00Rating: 4.00Rating: 4.00 (total 2 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.