Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Prevention Firewall

From: Vern Paxson <vern () icir org>
Date: Sat, 06 Apr 2002 01:06:27 -0800
Is this IDS operating inside the security boundary or outside? 


We have a dozen Bro's running both inside and outside.

That said, in any case they're not in the forwarding path.  They react by
either terminating TCP connections (forging RST packets to the inside host,
which is more trustworthy about honoring them), or, in particular, connecting
to our routers to install ACL entries.


The internal IDS also has responsibility for incidents which originate
inside the network - (60%).


I really have to question that 60% figure.  I know it's the one often
cited, and used to justify certain styles of monitoring.  But it clearly
has to depend a great deal on your environment.  For LBL - where we monitor
internally as well as externally - upwards of 99% of the detected attacks
come from outside.

                Vern
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: