I’ve been working lately on appropriate placement of IDS sensors. We don’t have the staff to be able to designate someone as a full-time intrusion analyst. As a result, I am needing to evaluate how we use IDS. Traditionally, we have had a sensor watching all in- and out-bound traffic. More information is generated than can reasonably be monitored.
Is seems that for us, placing a focused sensor in front of critical servers, or on sensitive segments seems to be where we can get the most Bang for the Buck. Here we will be able to tune the IDS ruleset to only alert and log on events that are relevant to hosts on the segment where the sensor is placed.
It has been educational to be forced to look at the servers with the intent of only including IDS rules that are appropriate to the particular host configurations. For example, if we are using Windows servers with IIS, there is no need to have the IDS check for attacks that only target Linux and Apache. Likewise, rules for the database server need to be focused for the product and host OS.
At this point there doesn’t seem to be much of a reason to have IDS on the user segments.
As always, it is a good things to be able to simplify things.
- Dan
