IDS outside of firewall?

[Rik Farrow <rik () spirit com>]

Hi:

I have a question about the use of various IDS systems, including
commercial products, as well as shadow from 
http://www.nswc.navy.mil/ISSEC/CID.

I find that many people put IDS systems outside of their firewalls.
In the case of some .mil and .edu nets, this may not be an option,
as firewalls are either non-existent or packet filters designed to
block packets based on source address.  But for a company to spend
money, time, and personnel on watching the outside of the firewall,
well, I am sure that there is lots of interesting things happening
out there.

As an analogy, I imagine that an network IDS system is like a water
quality analysis instrument, designed to detect any impurities
in (well, non-permissable impurities) in tap water.  On the "clean"
side of a water filtration plant, this instrument makes lots of
sense.  But on the other side, say in the Passaic river, the tool
will have lots to report--but not much reason for doing so.  We know
the river is dirty.

If one has the time to watch the outside of the firewall looking for
new and exotic attacks or scans, I suppose having a listening post
on the Internet side of a firewall makes sense.  But for most 
organizations, this sounds like a waste of money.  The only thing
an IDS system will do there is appear very exciting, because it
will detect lots of probes every day.  

OTOH, an IDS inside the firewall, which can pick up unusual events,
for example, traffic that should not have passed through the firewall
or port scanning on the internal network, makes a lot of sense to me.
Please e-mail me the comments about putting IDS outside the firewall, 
and I will post a summary in about a week.

Regards,
Rik Farrow
rik () spirit com