On the mark. But I would like to add that not trusting users connected to the internal network is a good thing.
A sensor in the serverfarm IP segment is not a bad idea, it will tell you wich user tries to find out about posssible open ports, tcp fingerprints you for information etc. Yes it depends and in my org. it would be 3 sensors (before FW, After FW and Server IP range). and I haven't covered user to user hack and recon activity in this setup...how paranoid can you get. Bye Dirk Cornelis, Security Officer * E-Mail: [EMAIL PROTECTED] General Services & Investments * Tel: +32 (02) 600 64 00 Information Systems * Fax: +32 (02) 600 64 01 Berkenlaan 7 * Web: http://www.deloitte.be B-1831 Diegem - Belgium -----Original Message----- From: Golden_Eternity [mailto:[EMAIL PROTECTED]] Sent: dinsdag 30 oktober 2001 1:45 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS White Papers/Documents > The background to this is that I want to implement an IDS on a > network which has an incoming/outgoing Internet connection for > all users. There is currently a firewall protecting this > connection, but I want to know whether I should locate the IDS in > front of or behind the firewall? Should the IDS be placed in a DMZ or not? I'm not a white paper, but the authoritative answer to your question is: it depends. There are reasons to put your IDS in any or all of these locations. If you want to see all the attacks coming at your network, then put it in front of the firewall. If you want to know what's getting through (good to know) and if there's any nasty business going on across your lan, then put it behind the firewall. So you need to decide what it is you're watching for, that'll tell you where to put it. "E-mail disclaimer:This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is strictly prohibited and may be unlawful. If you have received this e-mail by mistake, please immediately notify the sender and permanently delete the original as well as any copy of any e-mail and any printout thereof."
