Is your Network Intrusion Detecton System blind in one eye?
If your network administrator/security guy implemented more than just the basic security for your network, you’ve got a Network Intrusion Detection System (NIDS) connected to your network. A NIDS inspects network packets looking for indications of hostile activity, such as exploit attempts, malicious email, port scanning, and protocols associated with specific Trojans. When implementing a NIDS, there are several different options for connecting it to the network. A common option is to mirror one or more ports on a network switch to send a copy of each packet to the NIDS. This can be accomplished in several different ways:
Option 1: Connect the NIDS in front of the router (Switch A, red line). The NIDS “sees” all hostile activity (meaning the NIDS is able to inspect the network packets) attempting to enter the network at the router and leaving the network from the router, but cannot see anything behind the router. It does not know if inbound hostile activity is blocked by the router (access control list) or firewall (firewall policy).
Option 2: Connect the NIDS in front of the firewall (Switch B, purple line). The NIDS sees all hostile activity between the router and the firewall, but cannot see inbound hostile activity blocked by the router or any activity internal to the network at Switch C. The NIDS cannot see what hostile activity leaves the router in the outbound direction and does not know if the router blocks the outbound hostile activity. The NIDS does not know what inbound hostile activity is blocked by the firewall and does not see outbound hostile activity from Switch C that is blocked by the firewall.
Option 3: Connect the NIDS in back of the firewall (Switch C, blue line). The NIDS does not see any hostile activity in front of the router or between the router and the firewall. The NIDS does not know if any outbound hostile activity is blocked by the firewall or router. There are two switch configuration options at Switch C:
a. The NIDS sees all packets entering and leaving the network, but is not configured to see the packets going between desktops A, B and C.
b. The NIDS sees all packets entering and leaving the network and is also configured to see the packets going between desktops A, B and C.
Option 4: The NIDS is connected using any combination of the options listed above.
Given these options, what option(s) would you choose to connect the NIDS to the network?
Here are two questions for you to ask your network administrator/security guy:
1. How many ports on the NIDS are connected to the network?
2. What devices are connected to the NIDS and what activity does it see (inbound, outbound, desktop, server, etc.)?
After you talk with your network administrator/security guy, ask yourself these questions given your network’s NIDS configuration:
1. If the user on Desktop A opens a malicious email that installs a Trojan that isn’t detected by the anti-virus/spyware software, and the Trojan starts attacking Desktops B and C, what will the NIDS see?
2. If the NIDS is connected to Switch A and/or B, and not Switch C, if outbound hostile activity is blocked by the firewall, what will the NIDS see?
3. If the NIDS is connected to Switch B and/or C, and not Switch A, how will you know what type of inbound exploits are being attempted if the activity is blocked by the router’s access control list?
4. Are you happy with your network’s NIDS configuration?
Many organizations don’t realize that their NIDS implementation is flawed and as a result, their NIDS doesn’t see hostile activity at certain points within its network infrastructure. This means that those monitoring the NIDS may not realize what hostile activity is attempting to get into the network, is happening inside of the network, or is attempting to get out of the network. Does your network’s NIDS implementation get a passing grade?