Firewall Wizards mailing list archives

Re: IDS outside of firewall?

From: "Craig H. Rowland" <crowland () psionic com>
Date: Mon, 3 Aug 1998 12:43:06 -0400 (EDT)



On Sun, 2 Aug 1998, Jennifer Galvin wrote:



OTOH, an IDS inside the firewall, which can pick up unusual events,
for example, traffic that should not have passed through the firewall
or port scanning on the internal network, makes a lot of sense to me.
Please e-mail me the comments about putting IDS outside the firewall, 
and I will post a summary in about a week.



      Your analogy and thinking seem correct.  I believe 80 percent of
all attacks come from inside networks, and if there is anything suspicious
going on on the outside, a properly configured firewall should log all of
that traffic.  Providing an IDS on the inside would, in theory, also help
track down what data was possibly destroyed, and how the attacker actually
penetrated the network.


Having an IDS set up inside the firewall also helps detect intruders that
slipped in across a firewall VPN you set up to a "trusted" remote site.
This is something that I think is frequently overlooked by admins
who sometimes think that having encrypted tunnels somehow equals good
security.

-- Craig

Current thread:

IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
  - Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
  - Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
  - Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
  - Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
  - Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
    - Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
  - Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)

(Thread continues...)