Re: IDS outside of firewall?

[Paul Howell <grue () engin umich edu>]

"Ryan Russell" writes:
> Sorry, didn't mean to imply that outside is the best
> or only place to put one...  You just asked if there
> was any use to it.
>
> If I only get one, I think I'd like it on the inside.
>
> Naturally, you want two.. inside and outside,
> that coordinate with each other in some way.
> (I'm sure the vendors would be heartbroken
> to have to sell twice as many.)

Using an NFR, you could have one NFR with 2 interfaces.  One
interface on the outside and one on the inside.   The outside
interface you'd want to make sure couldn't transmit packets or
else you'd have a router!

There are a couple of ways to do this.  The easiest is to not set any 
config info for the outside, but just 'ifconfig <nic> up'.   Another
way is to essentially clip the transmit wires on the cable.  Doing 
both would be the best.

Once you have this type of set up, you could run NFR in one of 
several configurations.

First you could run one instance of NFR and let it see all traffic,
i.e., from both interfaces.  Any security policy validation n-code
or ids n-code would react to packets coming in from the inside and
outside.

Second, you could run two instances of NFR, one sniffing on the inside
and the 2nd sniffing the outside traffic.  You could then run your
ids n-code say on the outside and your security policy validation n-code
on the inside.

I think that looking at traffic from both sides is useful.  Correlating
outside traffic with a firewall reboot could be very important.  Likewise,
seeing inbound java applets coming through the firewall when you thought 
you'd turned them off could be very important.  

< paul