Firewall Wizards mailing list archives
Re: IDS outside of firewall?
From: Paul Howell <grue () engin umich edu>
Date: Tue, 04 Aug 1998 10:47:35 -0400
"Ryan Russell" writes:
Sorry, didn't mean to imply that outside is the best or only place to put one... You just asked if there was any use to it. If I only get one, I think I'd like it on the inside. Naturally, you want two.. inside and outside, that coordinate with each other in some way. (I'm sure the vendors would be heartbroken to have to sell twice as many.)
Using an NFR, you could have one NFR with 2 interfaces. One interface on the outside and one on the inside. The outside interface you'd want to make sure couldn't transmit packets or else you'd have a router! There are a couple of ways to do this. The easiest is to not set any config info for the outside, but just 'ifconfig <nic> up'. Another way is to essentially clip the transmit wires on the cable. Doing both would be the best. Once you have this type of set up, you could run NFR in one of several configurations. First you could run one instance of NFR and let it see all traffic, i.e., from both interfaces. Any security policy validation n-code or ids n-code would react to packets coming in from the inside and outside. Second, you could run two instances of NFR, one sniffing on the inside and the 2nd sniffing the outside traffic. You could then run your ids n-code say on the outside and your security policy validation n-code on the inside. I think that looking at traffic from both sides is useful. Correlating outside traffic with a firewall reboot could be very important. Likewise, seeing inbound java applets coming through the firewall when you thought you'd turned them off could be very important. < paul
Current thread:
- Re: IDS outside of firewall?, (continued)
- Message not available
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Message not available
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jeff Maddox (Aug 04)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Paul Howell (Aug 04)
- Re: IDS outside of firewall? ark (Aug 05)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 06)