Firewall Wizards mailing list archives

Re: IDS outside of firewall?

From: Woody Weaver <woody () wiltelnsi com>
Date: Mon, 03 Aug 1998 10:43:51 -0400

At 04:33 PM 7/29/98 -0700, Rik Farrow wrote:

Hi:

I have a question about the use of various IDS systems, including
commercial products, as well as shadow from 
http://www.nswc.navy.mil/ISSEC/CID.

...

If one has the time to watch the outside of the firewall looking for
new and exotic attacks or scans, I suppose having a listening post
on the Internet side of a firewall makes sense.  But for most 
organizations, this sounds like a waste of money.  The only thing
an IDS system will do there is appear very exciting, because it
will detect lots of probes every day.


I disagree with your assumptions.  I do not believe that for "most
organizations" an IDS would detect lots of probes every day.  In any event,
it can provide an estimate of the threat level of the organization.  If I
put a passive IDS outside wiltelnsi.com (my return address) I would expect
to see almost no probes -- the company is boring, nothing valuable to steal
-- and security is designed with that threat level in mind.  If I put a
passive IDS outside sony.com, where I would expect to see lots of script
kiddies with probes, the IDS can justify spending resources to be more
careful about security.

OTOH, an IDS inside the firewall, which can pick up unusual events,
for example, traffic that should not have passed through the firewall
or port scanning on the internal network, makes a lot of sense to me.


Certainly, one should take the data from *detected intrusions* with a great
deal of alarm.  It seems to me that your argument boils down to an issue of
filtering, and that you have assigned a zero value to data from outside,
and a large positive value to data from the inside.  I think you are being
too unsubtle.  All data is valuable, if you have time and resources to
evaluate it.  On the other hand, even data of traffic that should not have
passed through the firewall could be a false positive.  One has to be aware
of what the data really means, and evaluate it in context.

--woody
--
Robert Wooddell Weaver           email:  woody.weaver () wiltelnsi com
Network Engineer                 voice:  510.358.3972
Williams Communication Solutions pager:  510.702.4334

Current thread:

IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
  - Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
  - Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
  - Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
  - Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
  - Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
    - Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
  - Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
  - Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
    - Re: IDS outside of firewall? Jeff Maddox (Aug 04)
- Re: IDS outside of firewall? Paul Howell (Aug 04)
- Re: IDS outside of firewall? ark (Aug 05)

(Thread continues...)