RE: Placement of IDS [7:48420]
Having run an IDS on the outside of our firewall with a busy network, I'm confident in saying you don't want it out there. Let the firewall block the simple attacks and have the IDS tell you about those that aren't so simple. Firewall logs will give you a good idea of what's being blocked. You don't need this information a second time. I understand there are things the IDS would give a different perspective on, but unless you have a person dedicated to the administration and and monitoring of the IDS, all the alerts would become useless as the system would be ignored. >>> "Tim O'Brien" 07/11/02 09:22AM >>> If you are going to look at it that way you should run host based IDS on the servers you are protecting from your inside clients and run your IDS sensor between your edge router and firewall to see what is happening outside. Tim CCIE 9015 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of sam sneed Sent: Thursday, July 11, 2002 11:41 AM To: [EMAIL PROTECTED] Subject: Re: Placement of IDS [7:48420] I wouldn't want to put it in both places. If I did I'd have to deal with false positives twice. With all the other responsibilities I have it would take up too much of my time. I do trust my firewall so I think I'll keep it inside. ""Brad Nixon"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The easy answer to your question is "It depends". Do you trust your > firewall? Do you trust your internal users? The best solution would be to > have an IDS on each side of your firewall. That way you could detect both > external and internal threats. > > -- > Brad A. Nixon > CCNP, CCDA, MCP, CCSA > "Nothing is fool proof to a sufficiently talented fool." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48622&t=48420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Placement of IDS [7:48420]
If you are going to look at it that way you should run host based IDS on the servers you are protecting from your inside clients and run your IDS sensor between your edge router and firewall to see what is happening outside. Tim CCIE 9015 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of sam sneed Sent: Thursday, July 11, 2002 11:41 AM To: [EMAIL PROTECTED] Subject: Re: Placement of IDS [7:48420] I wouldn't want to put it in both places. If I did I'd have to deal with false positives twice. With all the other responsibilities I have it would take up too much of my time. I do trust my firewall so I think I'll keep it inside. ""Brad Nixon"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The easy answer to your question is "It depends". Do you trust your > firewall? Do you trust your internal users? The best solution would be to > have an IDS on each side of your firewall. That way you could detect both > external and internal threats. > > -- > Brad A. Nixon > CCNP, CCDA, MCP, CCSA > "Nothing is fool proof to a sufficiently talented fool." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48601&t=48420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Placement of IDS [7:48420]
I wouldn't want to put it in both places. If I did I'd have to deal with false positives twice. With all the other responsibilities I have it would take up too much of my time. I do trust my firewall so I think I'll keep it inside. ""Brad Nixon"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The easy answer to your question is "It depends". Do you trust your > firewall? Do you trust your internal users? The best solution would be to > have an IDS on each side of your firewall. That way you could detect both > external and internal threats. > > -- > Brad A. Nixon > CCNP, CCDA, MCP, CCSA > "Nothing is fool proof to a sufficiently talented fool." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48596&t=48420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Placement of IDS [7:48420]
The easy answer to your question is "It depends". Do you trust your firewall? Do you trust your internal users? The best solution would be to have an IDS on each side of your firewall. That way you could detect both external and internal threats. -- Brad A. Nixon CCNP, CCDA, MCP, CCSA "Nothing is fool proof to a sufficiently talented fool." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48581&t=48420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Placement of IDS [7:48420]
Most security breaches are by employees. With that out of the way, I would place the IDS engine in front of the firewall to catch attacks against devices in the DMZ. In a small trusting environment, your employees are probably not your biggest threat. -Original Message- From: sam sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 09, 2002 12:20 PM To: [EMAIL PROTECTED] Subject: Placement of IDS [7:48420] I was contemplating on where I should put my IDS. I have a simple network with only one Internet connection to my ISP. It is firewalled with an internal network that does not allow any incoming connections via firewall and a DMZ which has web, DNS, and email server. My question is should I put the IDS behind or in front of my firewall? What are most of you doing? I realize if it is behinf the FW I will not be able to detect a lot of possible security breaches, such as users trying to rsh or telnet into my servers since this is blocked by FW. Should I care that people are trying to get in or attack if the firewall is already blocking it? The IDS could easily handle the traffic since its only at the 1MB-2MB range. sam sneed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48432&t=48420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Placement of IDS [7:48420]
My preference is to keep IDS on the inside of the firewall. The stuff blocked by the firewall will be in the firewall logs (well, maybe). IDS can be very annoying, so much that you ignore it. I'd say that's my $0.02, but after taxes, it's not even worth that. :-) >>> "sam sneed" 07/09/02 11:20AM >>> I was contemplating on where I should put my IDS. I have a simple network with only one Internet connection to my ISP. It is firewalled with an internal network that does not allow any incoming connections via firewall and a DMZ which has web, DNS, and email server. My question is should I put the IDS behind or in front of my firewall? What are most of you doing? I realize if it is behinf the FW I will not be able to detect a lot of possible security breaches, such as users trying to rsh or telnet into my servers since this is blocked by FW. Should I care that people are trying to get in or attack if the firewall is already blocking it? The IDS could easily handle the traffic since its only at the 1MB-2MB range. sam sneed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48442&t=48420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]