https://community.cisco.com/t5/network-security/ids-location/m-p/1054998#M79039 <HTML><HEAD></HEAD><BODY><P>I was looking for an article about where to place an IDS on a network.</P></BODY></HTML> Wed, 27 Aug 2008 13:33:38 GMT rayroyalmontana 2008-08-27T13:33:38Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054993#M79024 <P>What factors should be considered when deciding where to place an IDS on a network?</P> Sun, 10 Mar 2019 11:16:02 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054993#M79024 rayroyalmontana 2019-03-10T11:16:02Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054994#M79028 <HTML><HEAD></HEAD><BODY><P>One of the most important considerations to sensor placement is to place it inside the firewall. This will keep you from looking at events that would have been blocked by your firewall poilcy and allow you to spend your time looking at reall traffic entering your network.</P><P>If you use a VPN, placing the sensor on the unencrypted side is good too.</P></BODY></HTML> Tue, 26 Aug 2008 18:13:48 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054994#M79028 rhermes 2008-08-26T18:13:48Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054995#M79031 <HTML><HEAD></HEAD><BODY><P>Another important point is to compare the throughput offered by the throughput with the one to be monitored. Otherwise it could be a real bottleneck for our network. This would also influence your deployment mode (Inline,Promiscuous etc.)</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 26 Aug 2008 19:10:09 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054995#M79031 Farrukh Haroon 2008-08-26T19:10:09Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054996#M79033 <HTML><HEAD></HEAD><BODY><P>Can you provide a link to an article about this issue?</P></BODY></HTML> Wed, 27 Aug 2008 10:21:58 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054996#M79033 rayroyalmontana 2008-08-27T10:21:58Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054997#M79036 <HTML><HEAD></HEAD><BODY><P>Can you be let us know about which 'issue' do you need the link?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 27 Aug 2008 13:24:13 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054997#M79036 Farrukh Haroon 2008-08-27T13:24:13Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054998#M79039 <HTML><HEAD></HEAD><BODY><P>I was looking for an article about where to place an IDS on a network.</P></BODY></HTML> Wed, 27 Aug 2008 13:33:38 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054998#M79039 rayroyalmontana 2008-08-27T13:33:38Z https://community.cisco.com/t5/network-security/ids-location/m-p/1054999#M79041 <HTML><HEAD></HEAD><BODY><P>I'm not aware of any such document on the Cisco website at least. Ill try to write a short description here. </P><P></P><P>Some places to use Promiscuous mode:</P><P></P><P>&gt; When you fear that the sensor will be a bottleneck because of its limited throughput (if placed Inline) in each traffic flow.</P><P>&gt; You want to protect a server farm subnet, but not all subnets in it. This is sort of related to the first point.</P><P>&gt; You are concerned that the sensor deployment is not mature and it might block valid connections (False Negative).</P><P></P><P>Some places to use Inline mode:</P><P></P><P>&gt; When you want the IPS to play a more 'active' role in the network and Deny packets as they pass through it. With promiscuous mode it is possible that the attack goes through before the sensor actually goes ahead and 'logs' into the blocking device and block its.</P><P>&gt; When you have devices that are not supported for blocking, like non cisco routers etc. you would go for inline</P><P>&gt; You want the sensor to have a 'better view' of the network</P><P></P><P>Some places to use Inline VLAN pair mode:</P><P></P><P>Same as inine, but you don't have enough physical interfaces to cover all physical segments. Also IDSM-2 is usually deployed in this fashion.</P><P></P><P>Please rate if helpful.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 27 Aug 2008 15:25:33 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1054999#M79041 Farrukh Haroon 2008-08-27T15:25:33Z https://community.cisco.com/t5/network-security/ids-location/m-p/1055000#M79043 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://analysisandreview.com/security/ips-ids-install-tune-incident-response-guide/" target="_blank">http://analysisandreview.com/security/ips-ids-install-tune-incident-response-guide/</A></P></BODY></HTML> Wed, 03 Sep 2008 16:48:58 GMT https://community.cisco.com/t5/network-security/ids-location/m-p/1055000#M79043 kutukutu9 2008-09-03T16:48:58Z