An IDS monitors the subnet (network) for any attacks on any machine seating on the same subnet - the word "closer" is misleading...someone might think of a physical "closeness" ... A good IDS should be configured to listen in promiscuous mode (loop back IP address: 127.0.0.1) - any additional protocol should be either removed or disable.
Hope it helps! Mil - << When your dreams turn to dust, vacuum >> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of William Stackpole Sent: Tuesday, April 23, 2002 8:31 PM To: Jason Pufahl; [EMAIL PROTECTED] Subject: Re: Location of IDS in network Jason, The general run of thumb with IDS is the closer it is to the system you want to protect the more effective it is. If you deploy outside the firewall you will be learning about attacks being launched against your site. If you deploy inside you'll be learning about the attacks that have been successful at reaching the machine you're trying to protect. -- Bill Stackpole, CISSP ----- Original Message ----- From: "Jason Pufahl" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 22, 2002 12:48 PM Subject: Location of IDS in network > I am looking for a bit of practical advice. > > My school is implementing an IDS system and has purchased software, but can > only deploy it on the inside or outside of our firewall due to licensing > restrictions. I am trying to make a determination as to what side would be > more helpful for me. > > I was initially thinking I should place it on the outside so that I could > watch for any potential attacks, however I am now thinking that it may be > more useful inside, as I am primarily concerned with what actually gets in. > Placing it inside should also (hopefully) give me less to wade through since > the firewall should stop the majority of intrusion attempts. > > I would find any suggestions helpful. > > Thanks, > Jason > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
