Where to place IDS network sensors

JP Vossen explains where to place IDS sensors.

After deciding to implement an IDS like Snort, determining your budget, choosing a product and understanding how...

NIDSes (network intrusion-detection systems) work in relation to network architectures (especially network switches and VLANs) you will need to figure out where to place the IDS sensors that actually "sniff" the wire and monitor your network traffic. To determine that, you need to ask yourself three more questions: What is my risk, what am I trying to monitor and protect, and how does the traffic flow in my environment?

More information

  • Learn more about network firewalls with this comprehensive guide.
  • Learn about the ins and outs of intrusion detection.

As we discussed in the tip How to handle network design with switches and segments, intrusion detection systems and network switches don't get along, so you need to understand how traffic flows to and from the resources you need to protect in order to establish the best place(s) to monitor. One of the most obvious places to put an IDS sensor is near the firewall. But, do you put the network sensor inside the firewall, outside or both? If your goal is to see just what a bad neighborhood you've walked into when you connected to the Internet then by all means put an IDS sensor outside the firewall. Just make sure you harden it appropriately. If you're more interested in the potentially malicious traffic that has made it inside the perimeter, then monitor inside.

There are legitimate political, budgetary and research reasons to want to see all the "attacks" against your connection, but given the care and feeding any IDS like Snort requires, do yourself a favor and keep your IDS sensors on the inside of the firewall. We all know the Internet has a lot of evil traffic, so there's usually no need to waste the resources to prove it.

With the low capital cost of Snort (free) and the hardware to run it on (cheap) the real cost is your time and labor for implementation, configuration and ongoing monitoring. Ideally you want to have an IDS network sensor on your DMZ with all your public servers, on the LAN just inside the firewall and on your extranet if you have one, in that order. After that it depends on your environment. Consider your choke points, possible avenues of attack and your risk. Brainstorm for any possibly useful locations, prioritize them and then work down the list as resources allow. Any well-planned and well-tuned intrusion detection system will be an excellent addition to your defense-in-depth strategy. A poorly planned and noisy IDS will just be a nuisance.


  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  <class="text3">Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort VRT rules
  Using IDS rules to test Snort


JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing