CND (312-38) Network Defense Simulation

Strategic IDS Deployment

Evaluate network topology to determine the optimal placement for an Intrusion Detection System (IDS) based on specific organizational monitoring objectives.

Network Scenario

You are architecting the monitoring strategy for a mid-sized enterprise. The CISO mandates increased visibility into lateral movement, insider threats, and infected workstations spreading malware within the organization. Review the proposed sensor placement diagram below.

           [ EXTERNAL INTERNET ]
                     │
               (Location 4)
                     │
           [ PERIMETER FIREWALL ]
                     │
             ┌───────┴───────┐
             │               │
       (Location 2)    (Location 3)
             │               │
        [ DMZ SWITCH ]  [ CORE ROUTER ]
        [Web Services]       │
                       (Location 1)
                             │
                       [ CORE SWITCH ]
                 [ Internal Endpoints/Servers ]

Traffic & Logs

// Target Configuration for Selected Location: SPAN (Port Mirroring)

Core_Switch_01(config)# monitor session 1 source vlan 10,20,30 both

Core_Switch_01(config)# monitor session 1 destination interface GigabitEthernet1/0/24

// Expected Log Example (If placed correctly)

[**] [1:28423:1] INDICATOR-COMPROMISE Suspicious SMB Admin Share Access [**]

[Classification: Attempted Administrator Privilege Gain] [Priority: 1]

SRC: 10.1.20.45 (Marketing_PC) -> DST: 10.1.30.12 (HR_Server) : 445

Question

An administrator wants to monitor and inspect large amounts of traffic and detect unauthorized attempts from inside the organization, with the help of an IDS. They are not able to recognize the exact location to deploy the IDS sensor. Can you help him spot the location where the IDS sensor should be placed?

Expert Analysis

1. Network Activity Overview

To effectively defend a network, defenders must map their visibility requirements to physical or logical chokepoints. Traffic flowing inside the organization (e.g., between an employee laptop and an internal file server) rarely traverses the perimeter firewall.

2. Behavioral Identification

The specific threat model in the question involves "unauthorized attempts from inside the organization" (insider threat or compromised internal endpoint performing lateral movement). This behavior occurs almost entirely within the internal switching fabric.

3. Why Correct Answer is Correct

A (Location 1) is the correct placement. Location 1 sits on the internal LAN / Core Switch. By configuring a SPAN (Switched Port Analyzer) or mirror port here, the IDS gains visibility into internal "East-West" traffic, allowing it to detect lateral movement, internal reconnaissance, and insider abuse.

4. Why Others are Wrong

B (Location 2 - DMZ): Only sees traffic destined for or originating from public-facing servers. It is blind to internal user traffic.
C (Location 3 - Internal Perimeter): Sees "North-South" traffic (Internal users going out to the internet). It will miss traffic moving strictly between two internal VLANs.
D (Location 4 - External Perimeter): Sees raw, unfiltered internet traffic. Highly noisy and completely blind to internal activity behind NAT.

Defensive Action

Deploy a dedicated NIDS (like Snort or Zeek) connected to the Core Switch via a hardware TAP or SPAN port. Enable rule categories focused on lateral movement, unusual RPC/SMB connections, and internal port scanning.

Mini Lesson: East-West vs. North-South

North-South: Traffic crossing the perimeter (Client to Internet).
East-West: Traffic moving laterally (Server to Server, Client to Client). Modern attacks rely heavily on East-West movement after the initial breach, making internal IDS placement critical.

Ready for the next challenge?

Explore more CND simulations