Re: IDS outside of firewall?

[Jennifer Galvin <jgalvin () digex net>]

This is true, but then, regardless of what is on the outside, wouldn't you
still want something on the inside, as well?  Not to mention my analogy
earlier, of the machine that goes PING.... Identifying attacks is useful,
however, unless you have someone wading through the log files and making
calls to ISPs so that accounts can be shut down and such, what good is
just a record of someone trying to break into your firewall, from the
OUTSIDE, when it actually happens?  Sure, you have some good ideas, but
what traffic eventually got through the firewall, and how do you know what
data left?  If the outside IDS is still a good idea, wouldn't an internal
one, in addition, be a better one?

> > Are there advantages to putting an IDS on the outside of the firewall?
>
> As you mentioned, so you can log stuff that the firewall doesn't
> (perhaps bug...perhaps doesn't think it's suspicious...)
>
> And also so you can identify paticular attacks, rather than
> connection attempts.  Since the firewall most likely won't (you hope)
> allow handshake to even complete, you'll see relatively few
> "attacks"... they won't be able to handshake enough to get
> an attack signature... but you might see a few.
>
> Say... single packet stuff.. like malformed DNS queries or answers,
> SNMP packets.... Stuff that an IDS will log as "attempted DNS
> blow-your-stack attacks" whereas the firewall might say
> "dropped UDP port 53."
>
>                          Ryan


----------------------
Jennifer Galvin  
Digex Firewall Support Engineer
jgalvin () digex net
(301) 847-7179 
Digex is an Intermedia Communications Company
----------------------