My preference is to keep IDS on the inside of the firewall. The stuff blocked by the firewall will be in the firewall logs (well, maybe). IDS can be very annoying, so much that you ignore it.
I'd say that's my $0.02, but after taxes, it's not even worth that. :-) >>> "sam sneed" 07/09/02 11:20AM >>> I was contemplating on where I should put my IDS. I have a simple network with only one Internet connection to my ISP. It is firewalled with an internal network that does not allow any incoming connections via firewall and a DMZ which has web, DNS, and email server. My question is should I put the IDS behind or in front of my firewall? What are most of you doing? I realize if it is behinf the FW I will not be able to detect a lot of possible security breaches, such as users trying to rsh or telnet into my servers since this is blocked by FW. Should I care that people are trying to get in or attack if the firewall is already blocking it? The IDS could easily handle the traffic since its only at the 1MB-2MB range. sam sneed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48442&t=48420 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
