On Mon, Oct 29, 2001 at 10:01:14AM +0100, [EMAIL PROTECTED] wrote: > Hi all, > > Any help with the following greatly appreciated! > > Can anyone point me in the right direction for good white papers/documents on >deciding where to locate an IDS on a network? > > The background to this is that I want to implement an IDS on a network which has an >incoming/outgoing Internet connection for all users. There is currently a firewall >protecting this connection, but I want to know whether I should locate the IDS in >front of or behind the firewall? Should the IDS be placed in a DMZ or not?
IDS placement depends on what you are trying to watch. We have one both inside and outside our firewall, and 'floating' IDS probes to watch specific switched subnets. One advantage of having a probe both inside and outside the firewall is that you can see all the crap that is being thrown at you, and the inside one can show you what is gettign through, along with what is (surprisingly at times) leaving your network. Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED][EMAIL PROTECTED] >< (631) 924-3728 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<