IDS mailing list archives
Re: IDS deployment outside FW?
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 11 Aug 2004 11:38:21 -0500
On Tue, 2004-08-10 at 09:22, Mike Poor wrote:
There is another side to this. Your external IDS, imho, should be focused on what is gettting "OUT" your firewall. This can tell you a number of things. First, it can illustrate the deficiencies in your outbound firewall policies. It can also tell you that you have internal hosts that are infected, and or, extracating data. So, I would focus your internal IDS on inbound traffic, and your external IDS on outbound traffic.
I wouldn't generalize like that. If your firewall is configured tightly, you may not see those abnormal outbound connection attempts of infected internal machines on your outside IDS. For example, if the firewall does not allow port 1034 from the inside through, then your external IDS won't be able to tell if/when you have a MyDoom outbreak. The IDS on the internal leg of the firewall will provide you with more information about unexpected outbound traffic than the outside IDS does. But I agree, the outside IDS will provide important information about the strength of the outbound firewall rule set, mainly how leaky your firewall is. So I dare to say that the best setup consists of one IDS on the internal side of the firewall and one IDS on the external side, and *both* should be configured/tuned to monitor and alert on inbound as well as outbound traffic. It's important to look both ways before crossing the 'Net. :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- IDS deployment outside FW? Chris Conacher (Aug 09)
- Re: IDS deployment outside FW? Dr Bit Bucket (Aug 10)
- <Possible follow-ups>
- Re: IDS deployment outside FW? templeofprs (Aug 10)
- Re: IDS deployment outside FW? Mike Poor (Aug 11)
- Re: IDS deployment outside FW? Frank Knobbe (Aug 11)
- Re: IDS deployment outside FW? Mike Poor (Aug 11)