Re: IDS outside of firewall?

[Jeff Maddox <jeff.maddox () ssds com>]

I see the problem with inside monitoring being resources. How do I convince
upper management (in particularly since I am a consultant and not part of
their power structure, [I know that sometimes that actually makes it easier
but not usually]) to spend the money for the manpower (as we all know
equipment is a hell of a lot cheaper that capable people) for outside
monitoring, much less inside monitoring. We have all been telling customers
for years that the greatest threat is from the inside and, yet, very few
companies have something near adequate internal security against cookbook
crackers much less talented ones.


At 10:26 PM 8/3/98 -0400, Marcus J. Ranum wrote:
> Ryan Russell wrote:
> > Marcus, you're in a good postion to comment...
> > If I only have budget for one, where's the best
> > place to put it?
>
> I'd stick it inside, mostly because if it were outside
> it'd likely generate too many uninteresting alerts (where
> I define "uninteresting alert" as one that notifies you
> of an attack launched against your firewall that you
> know your firewall can block). I might go further and
> configure it to have different alert levels for intrusion
> signatures directed against key internal systems (servers
> and whatnot) and outgoing through the firewall (naughty
> insiders running up the risk of big legal bills).
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr
Jeff Maddox
SSDS Inc.
jeff.maddox () ssds com