> -----Original Message----- > From: Jason Pufahl [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 22, 2002 3:49 PM > To: [EMAIL PROTECTED] > Subject: Location of IDS in network > > > I am looking for a bit of practical advice. > [snip]
I choose to answer your question about IDS location by posting in full a message Ron DuFresne posted to this list in November 2001. I saved this message because it gives an easily understood explanation for placing the IDS inside or outside. Oh, and I find it rather humorous (I'm easily amused). Reading this should give you your answer (hint - the answer is "place it inside"): -------- There are two methods common for IDS, one setup places the IDS in front of the firewall so folks can get those 3AM wakeup calls and notifications and thus not fall too deeply into rem sleep for long periods, call this method the self depridation method if you will. That IDS system will be sucking up packets and seeing all sorts of nasty bits hitting the external interface and clanging out warnings upon warnings on end, most of the information passing this IDS setup will be of dubious use, though some will argue that such an IDS placement is good for telling them what kind of nasty traffic is out there and banging at their doorstep, yet, the good firewall/security admin already has a good clue in this area and knows better. The second admin knows that what has passed the firewall checks and balances is of more import and use in determining if the firewall setup is sufficent for the job it was designed to do, and they will be clued into the fact that at least 70% of the nasty traffic they are dealing with originates internally. These folks place the IDS system behind the firewall, so it tries to catch what might well pass that system and attempt to cause havock internally, at the same time, this IDS system can see what the userbase behind the firewall might be trying to pass outside to raise hell on the internet public at large. These are admins more keen on getting some of that rem sleep, and not into false positives interupting their days as well as night and weekends. The companies they work for have an internal respose team that is adept at dealing with the internal noise that such a IDS system will be alerting too, and have a good policy established to define the firewall rules in place and will seldom hear a peep, if at all, from the IDS about something nasty passing from the external past the firewall to the soft chewy center of their networks. If rem sleep is not important to you, then by all means use the first scenrio. Thanks, Ron DuFresne -------- Randy Graham -- The Internet? Bah! Is that thing still around? -- Homer Simpson http://www.securitynewbie.com/ - for people like me > > My school is implementing an IDS system and has purchased > software, but can > only deploy it on the inside or outside of our firewall due > to licensing > restrictions. I am trying to make a determination as to what > side would be > more helpful for me. > > I was initially thinking I should place it on the outside so > that I could > watch for any potential attacks, however I am now thinking > that it may be > more useful inside, as I am primarily concerned with what > actually gets in. > Placing it inside should also (hopefully) give me less to > wade through since > the firewall should stop the majority of intrusion attempts. > > I would find any suggestions helpful. > > Thanks, > Jason > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, > etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
