Re: IDS collection in the DMZ, or in the dirty segment?

["Drexx D. Laggui" <drexx () pacific net sg>]

Jan. 28, 1999

Hello world,

You can install IDSes in any part of the network, if you can afford to 
buy/build so many systems. If you can afford the resources to properly
monitor and analyze traffic data, & store the logs away for safekeeping 
(Important: make sure you can later prove in court that it has not been
tampered with. Remember the O.J Simpson case with his DNA as evidence?)
And if you can afford (i.e. time/equipment/manpower) to respond to
incidents properly.

That said, I think it is best in most commercial cases, to just put the
IDS collection engine in the public DMZnet (commonly seen here in Asia-
Pacific as a network with public-exposed servers connected via the 3rd
NIC of a firewall, as popularly illustrated in FireWall-1 setups).

Why?

1] The Internet/extranet exposed servers are why most companies have
   firewalls in the first place, 'coz they recognize that it is the most
   vulnerable part of the network. When they want an IDS, this is where
   expensive (wrt build/buy and maintain) IDSes will be first installed.

2] The second priority will be on internal networks. It's because many
   admins do not fully trust their internal users, specially on large
   and remote networks. Many "surveys" and "studies" apparently support
   this paranoia (good for your health if taken in moderation :-) . 
   But... why not put the first IDS here?
2.1] If the internal user is knowledgeable (or cluelessly careless)
     enough, he can spoof attacks to a well-defended target and have
     somebody else blamed for it. The spoofed victim will be reprimanded
     and/or be denied network service to/from an application server.
     Remember that their are firewalls that can be integrated with IDSes.
     An example of which is RealSecure v2.5 and FireWall-1 v4, which can 
     actively respond to suspicious traffic by RealSecure sending a RST
     packet and FireWall-1 reconfiguring its Security Policy.
2.2] Most IDSes in my opinion are not fast enough to handle the high-
     speeds of internal networks. Specially if the IDS is monitoring the
     backplane of a switch. They will see some packets all right, but not
     everything. Their main bottleneck is the CPU power of the IDS engine.

3] Placing the IDS in front of the firewall (meaning the segment where the
   router to the ISP or WAN is at) would be more of a luxury for most
   small-to-medium businesses.
3.1] They cannot almost always afford to react to the slightest hint of a
     probe, whether it be from a script kid or from some higher form of
     life.
3.2] With regards to more clever external attackers, see problem no. 2.1
     above about IP spoofing and DoS attacks. This scenario can be offset
     somewhat if you encrypt and tunnel all your traffic between your
     extranet and remote/mobile users.


Drexx D. Laggui

P.S. (in Filipino, also stands for Pa-Singit)
Due to the high political correctness that is demanded of this mailing-
list, I must say that the mention of FireWall-1 and RealSecure was not
intended to be an advertisment, but merely cited as my example.


At 10:17 AM 1/27/99 -0700, Matt McClung, CCSA/CCSE wrote:
> I have yet to read someone post the idea that you CAN install more than one
> IDS in your network.
> I have yet to see any hard case for not putting and IDS in the DMZ, Service
> Network, Extranet or Internal network.  The biggest drawback to this is
> capital.  You can centrally manage and monitor all IDS boxes which relieve
> the management headache and you are able to cover all areas which really
> should be covered (Those I mentioned).
>
> Matt McClung
> Net.Works Security Engineer
> mmcclung () ndwcorp com