Re: IDS Placement ideas for inside and outside a firewall.

["David Glosser" <david_glosser () yahoo com>]

MessageI agree that an external sensor would be a Good Thing,  just that it would be the last thing I would do.  You 
first need plug any holes that may exist with packets allowed through your firewall, and  be perfectly comfortable with 
snort, have it tuned nicely, etc, before placing a sensor outside your firewall.  That guy will be receiving  alerts of 
a totally different order of magnitude.   I'm guessing 100 or 1000 times as many alerts than the internal sensors. 
(does anyone have any hard data on this?)

Now, if I had geographically dispersed sites, I may want sensors outside both firewalls, to determine if any kind of 
coordinated attack is happening.... 


----- Original Message ----- 
  From: Brei, Matt 
  To: brian.laing () blade-software com ; David Glosser ; FWAdmin ; snort-users () lists sourceforge net 
  Sent: Thursday, April 03, 2003 5:18 PM
  Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall.


  That’s exactly why I would want one outside of the firewall.  If I were to find a successful break in, I could then 
review logs from the external IDS and find that the same IP had done several scans or whatever that were eventually 
blocked by the firewall and not picked up by the internal IDS.  I would think that this would help build a better case 
if any type of legal action were to be taken. 



  Matt



  -----Original Message-----
  From: Brian Laing [mailto:Brian.Laing () Blade-Software com] 
  Sent: Thursday, April 03, 2003 11:28 AM
  To: 'David Glosser'; Brei, Matt; 'FWAdmin'; snort-users () lists sourceforge net
  Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall.



  I would agree with this sort of implementation, in many of the installs I have done I will setup the external sensors 
to do nothing but logging and ignore the data till I see something worth looking at on one of the internal servers.  I 
use this data to see what else that IP has been doing or what other things have been attempted against a specific host



  -------------------------------------------------------------------
  Brian Laing
  CTO
  Blade Software
  Cellphone: +1 650.280.2389
  Telephone: +1 650 367.9376
  eFax: +1 208.575.1374
  Blade Software - Because Real Attacks Hurt
  http://www.Blade-Software.com
  -------------------------------------------------------------------

  -----Original Message-----
  From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
David Glosser
  Sent: Wednesday, April 02, 2003 11:10 PM
  To: Brei, Matt; FWAdmin; snort-users () lists sourceforge net
  Subject: Re: [Snort-users] IDS Placement ideas for inside and outside a firewall.



  If you've never set up any IDS before, I'm not sure you would want to place it outside your firewall immediately 
You'lll get overwhelmed with probes,scans, script kiddies etc. 

  First place the box (with the "snorting" NIC unnumbered). On the port monitoring the *internal* interface of your 
firewall. Let it work on all of the stuff your firewall lets through. Once you have that under control, then place 
another box (or another NIC on the same box) to monitor your internal servers (since breakins can come from internal 
users). 

  Once you have these two under control, then you can worry monitoring stuff outside the firewall,  which I believe is 
called *attack detection*. But do you care that much about the stuff your firewall is successfully blocking?



  --snip-

     I am trying to convince my company to implement IDS on our network but I have a few questions. I know I would want 
one on both sides of the firewall,