RE: IDS question [was: Re: Firewall and DMZ topology]

["Mann, Bobby" <bmann () forzani com>]

External IDS can be inline or passive sitting on a span port.  For any ISP
or hosting facility bandwidth, routers and servers are a big issue.

IDS is very important if you have a 99.999% SLA with your clients, you don't
want to take any chances with any sort of downtime.

So in my opinion I think it's important to monitor critical segments in any
network.  Especially, external (who's knocking on your door) methodology.
But that depends on your need and requirements.  for small business IDS
maybe too much (cost vs. benefit), plus PIX and Cisco routers have built in
IDS (IP audit rules) to watch 50 critical signatures.  But a company with no
SLA and uptime requirements of 99.9% or more may not need IDS.  Can the
company be down for a few hours out of the year in case of an attack?
Another thing, if you get bandwidth from a major ISP you can ask them to
rate limit (CAR) ICMP and udp traffic and have them black hole other traffic
when necessary.

Medium size businesses should think about it and conduct an impact analysis.


Enterprise companies should have IDS outside/inside.  Too much liability to
the shareholders if something goes south.  Need to be proactive no matter
what company you work at.  However in an enterprise company it's important
to show anything you can on paper to the shareholders and the executive
team.

Plus, with inline IDS you can program your own signatures and block them
from coming in.  Remember Code-Red and others?  Well it can be blocked at
the gateway using NBAR or inline IDS.  Big performance impact but your still
within the SLA.  Since the virus changes faces you must be able to pick it
up.

At the end of the day I am right down the center with IDS.  But IDS is no
good to admins that don't have policies, procedures and the ability to react
or just don't give damn.  Companies need to have the ability to react within
5 minutes to an attack.

The IDS needs to be on every critical network segment at the least.

Anyways that's just my opinion and I have done a lot of security work and
high availability designs.





  




-----Original Message-----
From: Steve Bremer
To: security-basics () securityfocus com
Sent: 6/12/03 5:56 AM
Subject: IDS question [was: Re: Firewall and DMZ topology]

> tri-homed firewall, more so if you have IDS sensors at exterior, dmz,
> and interior, and the time to monitor them.

Changing subjects a little bit here.  I agree with our IDS comment, 
but I'm curious about how your external IDS is used.  

I've ran into differing opinions on this (as I do with most things 
security related ;-), but I I don't think that I would want the external

IDS monitoring incoming traffic.  Why?  Because it would be going 
off all the time.  As many times as we're probed during the day, the 
IDS sensor would be in a constant state of sending alerts.  Yes, you 
could adjust the rules to reduce this, but then what is the point of 
having the IDS sensor there?  However, I believe the external IDS 
sensor should be there to monitor traffic leaving your external 
firewall so you can see if one of your internal or DMZ hosts have 
been compromised.  

What do you think?

Steve Bremer
NEBCO, Inc.
System & Security Administrator

------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------