ch20lev1sec8.html

Deploying IPS

As discussed in previous sections, Cisco offers a wide range of IDS/IPS solutions that can be deployed in various network segments throughout the network architecture as required. These comprehensive deployment methods offer solutions from small- and medium-sized to large-scale enterprise and service provider network environments.

Figure 20-5 exemplifies the various areas in a network in which Cisco IDS/IPS sensors can be deployed.

Figure 20-5. Cisco IDS/IPS Networkwide Deployment

[View full size image]

Table 20-2 lists some basic pros and cons of deploying IDS versus IPS sensors.

Table 20-2. Deploying IDS Versus IPS
Pros Cons
IDS Sensor (Intrusion Detection System) Deploying the sensor has no impact on the network (latency, jitter, and so on). IDS response actions cannot stop the trigger packet and cannot guarantee stopping a connection.
Sensor is not inline; therefore, a sensor failure cannot impact network functionality. Being out of band, IDS sensors are more vulnerable to network evasion techniques.
Monitors traffic on a given segment promiscuously. Captures traffic by using SPAN, TAP, VACL capture, and so on. Cannot perform inline monitoring and does not have the capability to perform inline response action (deny-packet).
IPS Sensor (Intrusion Prevention System) Supports inline monitoring with inline response action deny-packet capability. Packet effects (latency, and so on). Packet drops due to latency will impact traffic streams.
TCP/IP traffic normalization. Network effects (bandwidth, connection rate, and so on).
Monitors all traffic traversing between two interfaces transparently. Often, IPS cannot be implemented "everywhere" because of cost restrictions.

	Pros	Cons
IDS Sensor (Intrusion Detection System)	Deploying the sensor has no impact on the network (latency, jitter, and so on).	IDS response actions cannot stop the trigger packet and cannot guarantee stopping a connection.
	Sensor is not inline; therefore, a sensor failure cannot impact network functionality.	Being out of band, IDS sensors are more vulnerable to network evasion techniques.
	Monitors traffic on a given segment promiscuously. Captures traffic by using SPAN, TAP, VACL capture, and so on.	Cannot perform inline monitoring and does not have the capability to perform inline response action (deny-packet).
IPS Sensor (Intrusion Prevention System)	Supports inline monitoring with inline response action deny-packet capability.	Packet effects (latency, and so on). Packet drops due to latency will impact traffic streams.
	TCP/IP traffic normalization.	Network effects (bandwidth, connection rate, and so on).
	Monitors all traffic traversing between two interfaces transparently.	Often, IPS cannot be implemented "everywhere" because of cost restrictions.