Intrusion detection systems and intrusion prevention systems can be quite expensive. As such, a risk-based decision should be used to determine which system is best and where should it be located to provide the most cost-effective benefits. There are typically two scenarios which will determine the appropriate system(s). The institution either hosts Internet accessible servers or it does not. The distinction plays a key role in determine the appropriate system for the institution.
Internet Accessible Servers
If the institution hosts systems that must be accessible from untrusted sources, such as the a web server being access from the Internet, an in-line intrusion detection/prevention (IDS/IPS) system would be appropriate for access to the network segment hosting the accessible system. In the web server example, authorized traffic would pass through the firewall into a screened subnet (a/k/a demilitarized zone). This traffic should then pass through an IDS/IPS on its way to the web server. In this configuration, the firewall should filter most traffic, with the IDS/IPS evaluating the remaining traffic destined for the web server. Should malicious traffic pass through the firewall, the IDS/IPS should identify and stop the traffic before it enters the internal network. If the institution does not have externally accessible systems (e.g. web server, email server) the use of an inline IDS/IPS may be overkill, as there should be no traffic allowed through the firewall that originated from untrusted networks, such as the Internet. The FSA recommends network intrusion detection systems “at any location where network traffic from external entities is allowed to enter controlled or private networks.”
No Internet-Accessible Servers
As stated above, if the institution does not maintain any Internet accessible servers, then an inline IDS/IPS may be inappropriate as is would be expensive and provide little benefit over a properly configured firewall. Given that it all traffic originating from outside is blocked at the firewall; it is unlikely that the internal systems will be attacked from the outside. With an inline configuration, the system is only monitoring traffic that passes through the IDS/IPS. An inline IDS/IPS would not detect an internal system from attacking another internal system. Should malicious traffic from system A attack system B without passing through the IDS/IPS it would go undetected. Could this happen? Yes. Although the attacker would have to gain access to the internal network, such access could be from a malicious employee, an insecure/unauthorized wireless access point, remote access software, directly connected appliance, etc.
Given that an inline IDS/IPS would not mitigate the risk in the aforementioned scenario, an intrusion detection system (IDS) that monitors an entire network segment would be more appropriate. Such a system would alert management to any suspicious traffic on the subnet that is being monitored. With that said, it could be quite costly to monitor all network segments with an IDS, such as branch location. In order to provide a good value for the security dollars spent, an IDS could be limited to the network segments that host critical systems. For instance, if a financial institution has twenty locations, but only two locations contain critical systems, the institution may warrant installing IDS only at the locations with critical systems. The FSA states, “Multiple nIDS [network-based intrusion detection systems] units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the nIDS is to sensitive data, the more important the tuning, monitoring, and response to nIDS alerts.” Should a non-critical system be compromised at a location without an IDS, the damage would be minimal, as the system should not have any critical and/or sensitive data. Should the compromised system than attempt to attack critical systems; the IDS monitoring the network segment with the critical systems should trigger appropriate alerts.