Firewall Wizards mailing list archives
Re: IDS outside of firewall?
From: Woody Weaver <woody () wiltelnsi com>
Date: Mon, 03 Aug 1998 10:43:51 -0400
At 04:33 PM 7/29/98 -0700, Rik Farrow wrote:
Hi: I have a question about the use of various IDS systems, including commercial products, as well as shadow from http://www.nswc.navy.mil/ISSEC/CID.
...
If one has the time to watch the outside of the firewall looking for new and exotic attacks or scans, I suppose having a listening post on the Internet side of a firewall makes sense. But for most organizations, this sounds like a waste of money. The only thing an IDS system will do there is appear very exciting, because it will detect lots of probes every day.
I disagree with your assumptions. I do not believe that for "most organizations" an IDS would detect lots of probes every day. In any event, it can provide an estimate of the threat level of the organization. If I put a passive IDS outside wiltelnsi.com (my return address) I would expect to see almost no probes -- the company is boring, nothing valuable to steal -- and security is designed with that threat level in mind. If I put a passive IDS outside sony.com, where I would expect to see lots of script kiddies with probes, the IDS can justify spending resources to be more careful about security.
OTOH, an IDS inside the firewall, which can pick up unusual events, for example, traffic that should not have passed through the firewall or port scanning on the internal network, makes a lot of sense to me.
Certainly, one should take the data from *detected intrusions* with a great deal of alarm. It seems to me that your argument boils down to an issue of filtering, and that you have assigned a zero value to data from outside, and a large positive value to data from the inside. I think you are being too unsubtle. All data is valuable, if you have time and resources to evaluate it. On the other hand, even data of traffic that should not have passed through the firewall could be a false positive. One has to be aware of what the data really means, and evaluate it in context. --woody -- Robert Wooddell Weaver email: woody.weaver () wiltelnsi com Network Engineer voice: 510.358.3972 Williams Communication Solutions pager: 510.702.4334
Current thread:
- IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
- Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jeff Maddox (Aug 04)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Paul Howell (Aug 04)
- Re: IDS outside of firewall? ark (Aug 05)