Firewall Wizards mailing list archives
Re: IDS outside of firewall?
From: Jennifer Galvin <jgalvin () digex net>
Date: Sun, 2 Aug 1998 19:25:14 -0400 (EDT)
OTOH, an IDS inside the firewall, which can pick up unusual events, for example, traffic that should not have passed through the firewall or port scanning on the internal network, makes a lot of sense to me. Please e-mail me the comments about putting IDS outside the firewall, and I will post a summary in about a week.
Your analogy and thinking seem correct. I believe 80 percent of all attacks come from inside networks, and if there is anything suspicious going on on the outside, a properly configured firewall should log all of that traffic. Providing an IDS on the inside would, in theory, also help track down what data was possibly destroyed, and how the attacker actually penetrated the network. I personally agree with this logic, and the only reason I can think of to place an IDS on the outside of a firewall is to "seem" like it's picking up a lot of nasty traffic, when in fact it would all be logged and stopped by the firewall. This is kind of akin to the "machine that goes ... ping!" in The Meaning of Life. If you think about it, the IDS on the inside will in all likelyhood be completely silent, until there is an intrusion. And we ALL like to see some sort of work or progress now and then.... Are there advantages to putting an IDS on the outside of the firewall? Maybe, if it can report and log anything the firewall can't. But isn't that just a sign that the firewall is not configured properly? And if firewalls drop all suspicious traffic anyway, would this just serve as a report-generator? I'm curious, though, what these are, if anyone has any ideas.....
Current thread:
- IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
- Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)