Security Basics mailing list archives
RE: IDS question [was: Re: Firewall and DMZ topology]
From: John Brightwell <brightwell_151 () yahoo co uk>
Date: Mon, 16 Jun 2003 16:34:56 +0100 (BST)
I wasn't completely clear in my last e-mail. I was
thinking more
along the lines of having the IDS in the DMZ. Any
attacks that get
past the outside firewall to the DMZ hosts would be
caught by the
IDS in the DMZ. The attacks that don't make it past
the external
firewall into the DMZ would be much less of a
concern. Kind of a
"let them knock on the door, but only deal with the
ones who try to
forcefully enter" line of thinking. Configuring the
external IDS to
monitor outgoing traffic would let you monitor your
own hosts for
unusual behavior.
I agree that the most important place to locate an IDS is inside the firewall, however, there can be an advantage in letting an IDS see the traffic before filtering by the fiorewall - it can be easier for the IDS to recognise attack signatures and you get advance warning of a concerted attack. You have the information in your firewall logs I guess, but I prefer to let an IDS see the whole lot. Previously I have installed an IDS (snort) outside the firewall which sat there analyzing the attack signatures and which I tried to look at as often as possible (it would send alerts, but I didn't have it set to paranoid mode) - but I had a different IDS (commercial) which monitored the filtered traffic and which was set to alert (send SMS and email with paranoid mode engaged) if it suspected an intrusion. It's definitely worth monitoring the outbound traffic as that may indicate whether you have trojan software (or a worm) lurking. Other implementations use a single IDS but with multiple interfaces including external and internal firewall interfaces (or multiple network taps feeding into a hub which is monitored by the IDS) __________________________________________________ Yahoo! Plus - For a better Internet experience http://uk.promotions.yahoo.com/yplus/yoffer.html --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: IDS question [was: Re: Firewall and DMZ topology] Mann, Bobby (Jun 12)
- RE: IDS question [was: Re: Firewall and DMZ topology] Steve Bremer (Jun 12)
- <Possible follow-ups>
- Re: IDS question [was: Re: Firewall and DMZ topology] Chris Berry (Jun 12)
- RE: IDS question [was: Re: Firewall and DMZ topology] John Brightwell (Jun 16)