Re: IDS outside of firewall?

[Jennifer Galvin <jgalvin () digex net>]

> OTOH, an IDS inside the firewall, which can pick up unusual events,
> for example, traffic that should not have passed through the firewall
> or port scanning on the internal network, makes a lot of sense to me.
> Please e-mail me the comments about putting IDS outside the firewall, 
> and I will post a summary in about a week.


        Your analogy and thinking seem correct.  I believe 80 percent of
all attacks come from inside networks, and if there is anything suspicious
going on on the outside, a properly configured firewall should log all of
that traffic.  Providing an IDS on the inside would, in theory, also help
track down what data was possibly destroyed, and how the attacker actually
penetrated the network.  

        I personally agree with this logic, and the only reason I can
think of to place an IDS on the outside of a firewall is to "seem" like
it's picking up a lot of nasty traffic, when in fact it would all be
logged and stopped by the firewall.  This is kind of akin to the "machine
that goes ... ping!" in The Meaning of Life.  If you think about it, the
IDS on the inside will in all likelyhood be completely silent, until there
is an intrusion. And we ALL like to see some sort of work or progress now
and then....

Are there advantages to putting an IDS on the outside of the firewall?
Maybe, if it can report and log anything the firewall can't.  But isn't
that just a sign that the firewall is not configured properly?  And if
firewalls drop all suspicious traffic anyway, would this just serve as a
report-generator?  I'm curious, though, what these are, if anyone has any
ideas.....