Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Setting Up an Intrusion Detection System: Page 2 of 8

Depending on how your network is organized, you might need multiple IDSs or sensors to cover all the bases. At the very least, an IDS at the core router or switch will see most traffic streams coming through the network operations center. Be sure an IDS at this location can examine packets traversing the network in both directions--it's easy to set up a device on a half-duplex link inadvertently and miss traffic critical to determining the nature of an attack.

Some IDSs coordinate input from multiple sensors into a single reporting console, which lets you receive notification of illicit traffic from anywhere within the network. However, multiple monitoring locations means more data to store, examine and act upon.

Automated tools for analyzing IDS logs are available, but most interpretation is done by an IT person who's trained in what to look for and knows your traffic patterns. He or she combs through the IDS log to see how a perpetrator got past your security systems.

A successful IDS deployment doesn't need heavy CPU horsepower. It does, however, need to be connected to the network properly and have enough storage to allow useful analysis of the data (see "Step by Step,").

You can install the IDS via a span port on a switch, for example, or via a network tap. Each method has its advantages and disadvantages.