Re: IDS outside of firewall?

["Ryan Russell" <ryanr () sybase com>]

Sorry, didn't mean to imply that outside is the best
or only place to put one...  You just asked if there
was any use to it.

If I only get one, I think I'd like it on the inside.

Naturally, you want two.. inside and outside,
that coordinate with each other in some way.
(I'm sure the vendors would be heartbroken
to have to sell twice as many.)

Marcus, you're in a good postion to comment...
If I only have budget for one, where's the best
place to put it?

               Ryan






Jennifer Galvin <jgalvin () digex net> on 08/03/98 12:20:17 PM

To:   Ryan Russell/SYBASE
cc:   firewall-wizards () nfr net
Subject:  Re: IDS outside of firewall?





This is true, but then, regardless of what is on the outside, wouldn't you
still want something on the inside, as well?  Not to mention my analogy
earlier, of the machine that goes PING.... Identifying attacks is useful,
however, unless you have someone wading through the log files and making
calls to ISPs so that accounts can be shut down and such, what good is
just a record of someone trying to break into your firewall, from the
OUTSIDE, when it actually happens?  Sure, you have some good ideas, but
what traffic eventually got through the firewall, and how do you know what
data left?  If the outside IDS is still a good idea, wouldn't an internal
one, in addition, be a better one?