Most security breaches are by employees. With that out of the way, I would place the IDS engine in front of the firewall to catch attacks against devices in the DMZ. In a small trusting environment, your employees are probably not your biggest threat.
-----Original Message----- From: sam sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 09, 2002 12:20 PM To: [EMAIL PROTECTED] Subject: Placement of IDS [7:48420] I was contemplating on where I should put my IDS. I have a simple network with only one Internet connection to my ISP. It is firewalled with an internal network that does not allow any incoming connections via firewall and a DMZ which has web, DNS, and email server. My question is should I put the IDS behind or in front of my firewall? What are most of you doing? I realize if it is behinf the FW I will not be able to detect a lot of possible security breaches, such as users trying to rsh or telnet into my servers since this is blocked by FW. Should I care that people are trying to get in or attack if the firewall is already blocking it? The IDS could easily handle the traffic since its only at the 1MB-2MB range. sam sneed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48432&t=48420 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]