Firewall Wizards mailing list archives
IDS outside of firewall?
From: Rik Farrow <rik () spirit com>
Date: Wed, 29 Jul 1998 16:33:13 -0700 (MST)
Hi: I have a question about the use of various IDS systems, including commercial products, as well as shadow from http://www.nswc.navy.mil/ISSEC/CID. I find that many people put IDS systems outside of their firewalls. In the case of some .mil and .edu nets, this may not be an option, as firewalls are either non-existent or packet filters designed to block packets based on source address. But for a company to spend money, time, and personnel on watching the outside of the firewall, well, I am sure that there is lots of interesting things happening out there. As an analogy, I imagine that an network IDS system is like a water quality analysis instrument, designed to detect any impurities in (well, non-permissable impurities) in tap water. On the "clean" side of a water filtration plant, this instrument makes lots of sense. But on the other side, say in the Passaic river, the tool will have lots to report--but not much reason for doing so. We know the river is dirty. If one has the time to watch the outside of the firewall looking for new and exotic attacks or scans, I suppose having a listening post on the Internet side of a firewall makes sense. But for most organizations, this sounds like a waste of money. The only thing an IDS system will do there is appear very exciting, because it will detect lots of probes every day. OTOH, an IDS inside the firewall, which can pick up unusual events, for example, traffic that should not have passed through the firewall or port scanning on the internal network, makes a lot of sense to me. Please e-mail me the comments about putting IDS outside the firewall, and I will post a summary in about a week. Regards, Rik Farrow rik () spirit com
Current thread:
- IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
- Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)