Firewall Wizards mailing list archives
Re: IDS collection in the DMZ, or in the dirty segment?
From: "Drexx D. Laggui" <drexx () pacific net sg>
Date: Thu, 28 Jan 1999 11:31:44 +0800
Jan. 28, 1999 Hello world, You can install IDSes in any part of the network, if you can afford to buy/build so many systems. If you can afford the resources to properly monitor and analyze traffic data, & store the logs away for safekeeping (Important: make sure you can later prove in court that it has not been tampered with. Remember the O.J Simpson case with his DNA as evidence?) And if you can afford (i.e. time/equipment/manpower) to respond to incidents properly. That said, I think it is best in most commercial cases, to just put the IDS collection engine in the public DMZnet (commonly seen here in Asia- Pacific as a network with public-exposed servers connected via the 3rd NIC of a firewall, as popularly illustrated in FireWall-1 setups). Why? 1] The Internet/extranet exposed servers are why most companies have firewalls in the first place, 'coz they recognize that it is the most vulnerable part of the network. When they want an IDS, this is where expensive (wrt build/buy and maintain) IDSes will be first installed. 2] The second priority will be on internal networks. It's because many admins do not fully trust their internal users, specially on large and remote networks. Many "surveys" and "studies" apparently support this paranoia (good for your health if taken in moderation :-) . But... why not put the first IDS here? 2.1] If the internal user is knowledgeable (or cluelessly careless) enough, he can spoof attacks to a well-defended target and have somebody else blamed for it. The spoofed victim will be reprimanded and/or be denied network service to/from an application server. Remember that their are firewalls that can be integrated with IDSes. An example of which is RealSecure v2.5 and FireWall-1 v4, which can actively respond to suspicious traffic by RealSecure sending a RST packet and FireWall-1 reconfiguring its Security Policy. 2.2] Most IDSes in my opinion are not fast enough to handle the high- speeds of internal networks. Specially if the IDS is monitoring the backplane of a switch. They will see some packets all right, but not everything. Their main bottleneck is the CPU power of the IDS engine. 3] Placing the IDS in front of the firewall (meaning the segment where the router to the ISP or WAN is at) would be more of a luxury for most small-to-medium businesses. 3.1] They cannot almost always afford to react to the slightest hint of a probe, whether it be from a script kid or from some higher form of life. 3.2] With regards to more clever external attackers, see problem no. 2.1 above about IP spoofing and DoS attacks. This scenario can be offset somewhat if you encrypt and tunnel all your traffic between your extranet and remote/mobile users. Drexx D. Laggui P.S. (in Filipino, also stands for Pa-Singit) Due to the high political correctness that is demanded of this mailing- list, I must say that the mention of FireWall-1 and RealSecure was not intended to be an advertisment, but merely cited as my example. At 10:17 AM 1/27/99 -0700, Matt McClung, CCSA/CCSE wrote:
I have yet to read someone post the idea that you CAN install more than one IDS in your network. I have yet to see any hard case for not putting and IDS in the DMZ, Service Network, Extranet or Internal network. The biggest drawback to this is capital. You can centrally manage and monitor all IDS boxes which relieve the management headache and you are able to cover all areas which really should be covered (Those I mentioned). Matt McClung Net.Works Security Engineer mmcclung () ndwcorp com
Current thread:
- IDS collection in the DMZ, or in the dirty segment? John Kozubik (Jan 26)
- <Possible follow-ups>
- Re: IDS collection in the DMZ, or in the dirty segment? Matt McClung, CCSA/CCSE (Jan 27)
- Re: IDS collection in the DMZ, or in the dirty segment? Drexx D. Laggui (Jan 28)
- Re: IDS collection in the DMZ, or in the dirty segment? John Kozubik (Jan 28)
- Re: IDS collection in the DMZ, or in the dirty segment? stranded lemming (Jan 29)