Where Are Your Security Operations Located; Where Should I Deploy Sensors - McAfee M-1250 - Network Security Platform Deployment Manual

McAfee® Network Security Platform 6.0
M-8000
M-6050
M-4050
M-3050
M-2750
M-1450
M-1250
N-450

Where are your security operations located?

To successfully defend against intrusions, McAfee recommends dedicated monitoring of
the security system. Network intrusions can happen at any given moment, so having a
dedicated 24-hour-a-day prevention system will make the security solution complete and
effective.
Where are your security personnel? How many users are involved? Knowing who will be
configuring your policies, monitoring events, running reports, and performing other
configuration tasks will help you manage your users and determine where you locate your
McAfee
secure location, should be logically accessible to users, and must have reliable
connectivity so as to be able to communicate with all deployed Sensors.

Where should I deploy Sensors?

Should you deploy Sensors at the perimeter of your network, in front of the servers you
want to protect, or at a convenient nexus where all traffic passes?
Deployment at the perimeter does not protect you from internal attacks, which are some of
the most common source of attacks. Perimeter monitoring is also useless if a network has
multiple ISP connections at multiple locations (such as one Internet connection in New
York and one in San Jose) and if you expect to see asymmetric traffic routing (that is,
incoming traffic comes through New York and outgoing traffic goes out through San Jose).
The IPS simply will not see all the traffic to maintain state and detect attacks. Deployment
in front of the servers that you want to protect both detects attacks from internal users and
deals effectively with the geographically diverse asymmetric routing issue.
An illustration of the advantage of Sensors' multiple segment monitoring is to consider the
question of installing Sensors with respect to firewalls. It is very common to deploy
Sensors around firewalls to inspect the traffic that is permitted by the firewall. A common
question when installing Sensors around the firewall is: Do you put the Sensors on the
inside (Private and DMZ) or put them outside (Public) the firewall?. There are benefits to
both scenarios, and the more complete solution includes both. For example, if you detect
Sensor Aggregate Performance
10 Gbps
5 Gbps
3 Gbps
1.5 Gbps
600 Mbps
200 Mbps
100 Mbps
2 Gbps
®
Network Security Manager server. The Manager should be placed in a physically
Planning Network Security Platform Installation
11