RE: Location of IDS in network

Wed, 24 Apr 2002 21:08:52 -0700 

At 17:16 -0700 24/4/02, Chris Kirschke wrote:
>I'll agree with most of the veterans here who like their sleep:-) 
>Place it inside...

I particularly like how information security architecture is being 
determined by the personal needs of the staff... *dozes off* ;)

Seriously, at the risk of being little more than a "me too" posting, 
the internal network is the *only* logical location for a single IDS 
sensor -- by definition.

Wherever you put an IDS sensor, it'll report on whatever traffic it's 
seeing. But the aim of the intrusion detection system is to detect 
intruders. By definition, intruders are inside your network, and 
that's where you need to be looking. If they're not inside, they're 
not intruders!

Conversely, if you put the IDS sensor outside on the public network, 
well, it'll certainly pick up "nasty traffic" and issue alerts. But 
what do those alerts mean in terms of your actual mission: protecting 
your internal network? Nothing. At least not by themselves. It only 
tells you what's going on outside, and by definition that's not your 
responsibility -- unless of course you've decided to take on the role 
of policing the entire Internet!

Now you may have other reasons for deploying an IDS sensor other than 
verifying that your internal network is intruder-free. Perhaps you 
want to educate yourself about the kinds of traffic on the Internet. 
Perhaps you want to predict the onset of an attack by reading the 
subtle signs -- and there's been some interesting work in that field.

     http://www.incidents.org/isw/iswp.php

Or perhaps you're participating in one of the "distributed intrusion 
detection systems". If multiple locations on the internet are pickup 
up suspicious traffic from a particular machine, then something's 
afoot!

     http://www.dshield.org/
     http://aris.securityfocus.com/

And of course if you have more than one sensor, there are options 
like comparing the traffic inside and outside your firewall and 
actualy auditing what the firewall is doing.

But... If you have just one sensor, if your aim is to detect 
intruders, then that single sensor must be inside your network.

Stil


-- 
: Stilgherrian, Director of Operations, prussia.net
: Internet infrastructure services focussing on the essentials
: http://www.prussia.net/
: ARBN BN97858688, ABN 15 148 757 893
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to