Jason, No doubt other, more experienced practitioners on this list will offer good advice. You have identified the primary pros and cons of IDS placement. Outside the firewall will give you lots of information about things that (hopefully) don�t impact your network, since they will be blocked by your firewall. If you enjoy wading through lots of stuff, and have the time (most of us don�t!), then place it outside the firewall. On the other hand, if you are interested in catching the stuff that gets through the firewall (and also verifying that the firewall is really doing its job), then place the IDS on the inside (highly recommended). An added benefit is that you might even catch some of your internal users who are abusing the network.
Recommendation: if you only have one sensor, put it inside the firewall. Randy > > From: Jason Pufahl <[EMAIL PROTECTED]> > Date: 2002/04/22 Mon PM 02:48:41 CDT > To: [EMAIL PROTECTED] > Subject: Location of IDS in network > > I am looking for a bit of practical advice. > > My school is implementing an IDS system and has purchased software, but can > only deploy it on the inside or outside of our firewall due to licensing > restrictions. I am trying to make a determination as to what side would be > more helpful for me. > > I was initially thinking I should place it on the outside so that I could > watch for any potential attacks, however I am now thinking that it may be > more useful inside, as I am primarily concerned with what actually gets in. > Placing it inside should also (hopefully) give me less to wade through since > the firewall should stop the majority of intrusion attempts. > > I would find any suggestions helpful. > > Thanks, > Jason > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
