What factors would you consider before deploying a Web intrusion detection system?

Cisco IDS sensors form the eyes and ears of your Cisco network intrusion detection system. Placing sensors correctly throughout your network is crucial to successfully implementing your Cisco intrusion detection system. Before deploying your sensors, however, you must thoroughly understand your network topology, as well as the critical systems on your network that attackers will attempt to compromise. Even after you have identified the locations on your network where you plan to deploy your sensors, you still need to decide on how to configure these sensors to maximize their effectiveness toward protecting your network.

Analyzing Your Network Topology

Before you can even begin to start deciding where to deploy Cisco IDS sensors on your network, you must analyze your network topology. Some of the key factors to consider when conducting this analysis are the following:

• Internet entry/access points
• Extranet entry points
• Remote access
• Intranet separation

Almost all networks provide some type of connectivity to the Internet. This connectivity, however, is also a prime target for millions of potential attackers. Therefore, the first place that you should protect with your Cisco IDS is your organization's Internet connection. When analyzing connections with the Internet, it is easy to stop at the main Internet access point. To correctly protect your network, however, you need to make sure that you identify all possible Internet connections.

Once you have identified your Internet entry points, you need to determine connections that you have with other organizations. These connections are sometimes referred to as extranet connections. These connections are usually associated with business partners or other organizations that your organization needs to communicate with on a regular basis. These connections open up your network to attack via the organizations that you conduct business with. It also opens up the possibility that an attacker can attack these organizations via your network, which opens up many interesting legal issues.

More and more employees are starting to telecommute. Furthermore, more employees also need to maintain access to their local networks when they are traveling. Both of these situations require you to establish some form of remote access capability on your network. Remote access, however, is another prime target for attackers. Mapping out all of your remote access entry points into your networks is vital to successfully securing your network against attack. This includes all modems connected to your network.

The final area that you need to analyze on your network topology deals with internal separation points. Most organizations are divided into multiple departments. Each of these departments probably shares some common servers, such as DNS and email. Similarly, these organizations usually utilize some departmental servers that should be accessed only by specific users. To enforce your organization's security policy, you must clearly understand where these departmental boundaries lie. Furthermore, you must clearly understand what traffic is allowed and what traffic is not allowed to cross these internal barriers.

Does your organization have robust processes and procedures in place to identify and contain threats in your environment? Are you confident that these processes can prevent security incidents and data breaches caused by common attack methods like malware, ransomware, DoS attacks, phishing attacks, and more?

Establishing a strong intrusion detection and prevention system (IDPS) – although they are sometimes separately referred to as intrusion detection systems (IDS) and intrusion prevention systems (IPS) – is a core component to any cybersecurity strategy.

Why is that?

First, let’s take a look at what an intrusion detection and prevention system is, and then we’ll discuss what type of intrusion detection and prevention system your organization should consider using.

An Intrusion Detection and Prevention System (IDPS) monitors network traffic for indications of an attack, alerting administrators to possible attacks. IDPS solutions monitor traffic for patterns that match with known attacks. Traditionally, they used signature-based or statistical anomaly detection methods, but IDPS increasingly leverages machine learning technologies to process vast amounts of data and identify threats that signature and anomaly detection would miss.

IDPS solutions are usually deployed behind an organization’s firewall to identify threats that pass through the network’s first line of defense. Typically, an intrusion detection and prevention system accomplishes this by using a device or software to gather, log, detect, and prevent suspicious activity.

What Type of Intrusion Detection and Prevention System Do You Need?

When determining which type of intrusion detection and prevention system your organization should use, you’ll need to consider factors like the characteristics of the network environment, the goals and objectives for using an IDPS, and current organization security policies. Ultimately, there are two types of IDS/IPS: network-based and host-based. A network-based IDPS runs on network segments, including wireless or any other network that is selected. A host-based IDPS, on the other hand, runs on servers. The four common types of IDPS, as defined by NIST, include the following:

1. Network-Based IDPS: This type of IDPS monitors network traffic for specific network segments and devices. It analyzes the network and application protocol activity to identify suspicious and abnormal activity.
2. Wireless IDPS: This IDPS is a sub-type of network-based IDPS. It monitors wireless network traffic and analyzes it to identify suspicious activity involving networking protocols.
3. Network Behavior Analysis (NBA) System: This IDPS is a sub-type of network-based IDPS. It is used to examine network traffic in order to identify threats that generate unusual traffic flows (i.e. malware, DDoS attacks, and policy violations).
4. Host-Based IDPS: This IDPS is used to monitor the characteristics of a single host and the events occurring within that host for suspicious activity.

Should You Use Multiple Types of IDPS Technologies?

Many businesses today have complex environments, making it a necessity to deploy more than one type of intrusion detection and prevention system. However, before implementing multiple types of IDPS technologies, it’s necessary to fully evaluate the needs of your organization. In theory, using multiple types of IDPS technologies can only lead to a more secure environment, but if they’re implemented incorrectly, there could be detrimental consequences.

What Type of Detection Should Your IDPS Use?

After you’ve determined which type of intrusion and detection system your organization should utilize, you’ll need to determine which detection method is right for you. Each type of intrusion detection and prevention system listed above, regardless if they’re network-based or host-based, has detection capabilities with one or more of the following:

• Signature-based: The signature-based IDS is used to match the signatures of known attacks that have already been stored in your database to detect attacks on your network.
• Anomaly-based: The anomaly-based IDS method identifies abnormal behavior in your organization’s network.
• Protocol-based: The protocol-based IDS method monitors and analyzes protocols used by the computing system.

Regardless of which type of intrusion and detection system your organization uses, they are a vital component of your cybersecurity strategy. To mitigate the advancing threats all organizations are faced with, having a robust IDPS in place is a must. If you’re looking for advice on how you can better implement an intrusion detection and prevention system in your environment, let’s chat about how KirkpatrickPrice can partner with you to ensure the security of your business.

More Network Security Resources

Security Within Your Development, Staging, and Production Environments

Encrypted Backups: What They Are and How to Use Them

How to Build an IT Asset Management Plan

What should be considered when selecting an intrusion detection system?

What is one of the main concerns when deploying intrusion prevention systems?

What are the basic principles and requirements for intrusion detection?

What is an intruder detection system and why you should consider having one?