14
Chapter 2
Planning the IPS Installation
Introduction to StoneGate IPS
A StoneGate IPS system consists of Sensors, Analyzers, and the StoneGate Management
Center. Sensors pick up network traffic, inspect it, and create event data for further processing
by the Analyzers.
StoneGate Sensors and Analyzers can be distributed as follows:
•
a combined Sensor-Analyzer with these two components on a single machine.
•
a single node Sensor.
•
a Sensor cluster, which consists of 2 to 16 machines with Sensors called
cluster nodes
or
nodes for short.
•
an Analyzer, which is required when a single node Sensor or a Sensor cluster is used.
You can install sensors in two basic ways:
•
IDS (intrusion detection system) installation: Sensors capture and inspect all traffic in the
connected network segment, but do not, by default, interrupt the flow of traffic in any way.
•
IPS (intrusion prevention system) installation: Sensors are installed inline, so that all traffic
that is to be inspected flows through the Sensor. In this setup, the Sensor itself can also be
used to automatically block selected traffic according to how you configure it. Inline sensors
in transparent access control mode (requires a separate license) provide transparent access
control and logging for Ethernet (layer 2) traffic.
The main features of StoneGate IPS include:
•
Multiple detection methods: misuse detection uses fingerprints to detect known attacks.
Anomaly detection uses traffic statistics to detect unusual network behavior. Protocol
validation identifies violations of the defined protocol for a particular type of traffic. Event
correlation in the Analyzer processes event information received from the Sensors to detect a
pattern of events that might indicate an intrusion attempt.
•
Response mechanisms: There are several response mechanisms to anomalous traffic. These
include different alerting channels, traffic recording, TCP connection termination, traffic
blacklisting, and traffic blocking with inline IPS.
The sensors and analyzers are always managed centrally through the StoneGate Management
Center (SMC). You must have an SMC configured before you can proceed with installing the
sensors and analyzers. The SMC can be used to manage a large number of different StoneGate
products. The SMC installation is covered in a separate guide. See the
SMC Reference Guide
for
more background information on the SMC, and the
IPS Reference Guide
for more background
information on the StoneGate sensors and analyzers.
Example Network Scenario
To get a better understanding of how StoneGate fits into a network, you can consult the Example
Network Scenario that shows you one way to deploy StoneGate. See
Summary of Contents for stonegate 5.2
Page 1: ...STONEGATE 5 2 INSTALLATION GUIDE INTRUSION PREVENTION SYSTEM...
Page 5: ...5 INTRODUCTION In this section Using StoneGate Documentation 7...
Page 6: ...6...
Page 12: ...12...
Page 18: ...18 Chapter 2 Planning the IPS Installation...
Page 28: ...28 Chapter 4 Configuring NAT Addresses...
Page 30: ...30...
Page 50: ...50 Chapter 6 Saving the Initial Configuration...
Page 60: ...60...
Page 72: ...72 Chapter 8 Installing the Engine on Intel Compatible Platforms...
Page 73: ...73 UPGRADING In this section Upgrading 75...
Page 74: ...74...
Page 88: ...88...