Firewall Wizards mailing list archives
RE: DMZ best practices
From: Dominique Brezinski <dom_brezinski () securecomputing com>
Date: Fri, 22 Jan 1999 01:05:22 -0800
At 09:11 AM 1/22/99 +0100, Security wrote:
Of course, an ID sensor outside the firewall is potentially vulnerable. When the ID sensor has a second NIC you can monitor a network segment with no protocol stack involved (on the first NIC) while also using an out-of-band channel (on the second NIC) for communication with the ID sensor. When there is a firewall between the second NIC and the internal network, you have a well-protected ID configuration. I have seen several discussions about cutting the transmit wires of the cable between the ID sensor and the monitored network. In this case, the ID sensor is physically secured.
All true, except that many (most?) NICs have issues with the transmit pair cut, or so I hear. There was a discussion about this sometime ago on this list I think. There are, however, big vulnerabilities that exist in the functional relationships between IDS and firewalls they can actively/reactively configure. It would be inappropriate to discuss those at the current time.
You can monitor the DMZ with a sensor inside the DMZ. This is a proper solution, but in my opinion, a well-protected sensor outside the firewall does the same.
My question is not whether it can be done, but rather is it actually useful or sane. I think my opinion is clear enough from my other posts on the subject. We are all entitled to our own. It is a very rare customer that I would design a security perimeter for that included an ID sensor outside the first perimeter defense. It would just waste my customer's time to try and analyze and chase down all that they would see, when a vast majority of it is being repelled by their first perimeter defense. I might get a thrill watching it on my own network, but I am a techy individual (clearly insane ;) - not a company or organization. This is just my opinion. Dominique Brezinski CISSP (206) 898-8254 Secure Computing http://www.securecomputing.com
Current thread:
- Re: DMZ best practices, (continued)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
- RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)
- Re: RE: DMZ best practices Joseph S D Yao (Jan 26)
- RE: DMZ best practices Security (Jan 26)
- RE: DMZ best practices Dominique Brezinski (Jan 26)
- RE: DMZ best practices David LeBlanc (Jan 27)
- DMZ best practices Arjen Rijpma (Jan 26)
- RE: DMZ best practices John Kozubik (Jan 28)
- Re: DMZ best practices Bill_Royds (Jan 19)