No Offence, but I disagree. IDS should go in between the external border router and the firewall. IDS is most useful when it detects pre-emptive attacks that might not otherwise be seen behind a firewall. Example: Just for arguments sake lets say you have a NT IIS server that's vulnerable to rain forest puppy's RDS exploit (MS99-78). This web server is sitting in your DMZ behind a firewall. Of course you have port 80 open on the firewall otherwise no-one would be able to connect to your web server. So we have Joe Badguy running a port scanner against your network and as a good admin you have all the unnecessary ports blocked at the firewall. But web is of course a necessary port and the port 80 pings gets through. Is your IDS going to detect the ping packets to port 80? If it does will you be able to discern if its a scan with out seeing the rest of the traffic because it was blocked by the firewall. Will you know that someone successfully scanned you and now will be trying different exploits against your IIS server. Now at this point I'm sure your IDS will pick up the malicious intent, but isn't it too late? RDS, UNICODE, ISAPI, can all be executed in seconds. While your looking at the IDS output they're playing open house with your web server. With the introduction of NIMDA and CodeRed has changed the rules to the game a bit, but traditionally most attacks are pre-empted by a probe or information gathering scan. To detect this as early as possible and get notification to the users source IP can go a long way towards preventing future attacks by that user. Yes, there's a lot of variables involved and I could on and on about all of them but I'm just giving my two cents worth. As I saw someone mention, www.sans.org is a great source for security material. www.securityfocus.com Isn't a bad place to look either...:)
Good Luck! Michael John Gilles Lead Security Engineer, MCSE Ext. 204 616.901.9720 mobile [EMAIL PROTECTED] ITM Technology, LLC. 5940 Tahoe DR. S.E. Suite 110 Grand Rapids, MI 49546 616.464.1361 office 616.464.1362 fax -----Original Message----- From: yashpals [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 30, 2001 7:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: IDS White Papers/Documents Hi Mark, It is always a good to put IDS behind the firewall. As firewall blocks most of the unwanted traffic and if someone manages to bypass the firewall then he/she may be detected by IDS. enjoy, yash [EMAIL PROTECTED] wrote: > Hi all, > > Any help with the following greatly appreciated! > > Can anyone point me in the right direction for good white papers/documents on deciding where to locate an IDS on a network? > > The background to this is that I want to implement an IDS on a network which has an incoming/outgoing Internet connection for all users. There is currently a firewall protecting this connection, but I want to know whether I should locate the IDS in front of or behind the firewall? Should the IDS be placed in a DMZ or not? > > (As you can tell, I am new to all this!) > > Regards, > > Mark. > > _______________________________________________________________________ > Never pay another Internet phone bill! > Freeserve AnyTime, for all the Internet access you want, day and night, only £12.99 per month. > Sign-up at http://www.freeserve.com/time/anytime