RE: IDS question [was: Re: Firewall and DMZ topology]

["Steve Bremer" <steveb () nebcoinc com>]

Hi,

> External IDS can be inline or passive sitting on a span port.  For any

Good point.  I was thinking of just a monitoring sensor, but an in-line 
sensor that can be configured to block active attacks would be nice.  
Has anyone tried Hogwash?

> So in my opinion I think it's important to monitor critical segments
> in any network.  Especially, external (who's knocking on your door)

I wasn't completely clear in my last e-mail.  I was thinking more 
along the lines of having the IDS in the DMZ.  Any attacks that get 
past the outside firewall to the DMZ hosts would be caught by the 
IDS in the DMZ.  The attacks that don't make it past the external 
firewall into the DMZ would be much less of a concern.  Kind of a 
"let them knock on the door, but only deal with the ones who try to 
forcefully enter" line of thinking.  Configuring the external IDS to 
monitor outgoing traffic would let you monitor your own hosts for 
unusual behavior.


> The IDS needs to be on every critical network segment at the least.

Agreed. 

> Anyways that's just my opinion and I have done a lot of security work
> and high availability designs.

Thanks for your input, I appreciate it.

Steve Bremer
NEBCO, Inc.
System & Security Administrator

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------