Firewall Wizards mailing list archives

IDS data collection _outside_ of a firewall

From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Tue, 19 Jan 1999 22:33:38 PST

Also, the comment on having ID sensors outside the firewall is also 
equally flawed.


I must respectfully disagree.

Please refer to:

http://www.nswc.navy.mil/ISSEC/CID/

for a detailed explanation on two tried and true methods of IDS - 
Network Flight Recorder, and the STEP system.  Both methods call for the 
data collection portion of the IDS to sit outside of the firewall, in 
the DMZ.  

It should be quite clear to anyone familiar with the subject of IDS that 
the collection station is _necessarily_ outside of the firewall. 

For instance, it would be somewhat difficult to detect netbios scans if 
you are watching with a machine that is inside a firewall that is 
blocking 135, 137, etc. (you are blocking those, aren't you? :)

The above web page is a great start for anyone who can invest about 1-2 
hours reading on the subject of IDS - it is well worth it for the 
beginner in the subject, and would provide a good foundation for further 
study.

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

IDS data collection _outside_ of a firewall John Kozubik (Jan 20)
- Re: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 21)
  - Re: IDS data collection _outside_ of a firewall roger nebel (Jan 26)
- <Possible follow-ups>
- RE: IDS data collection _outside_ of a firewall Burden, James (Jan 27)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 27)
  - RE: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 28)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 28)
- Re: IDS data collection _outside_ of a firewall John Kozubik (Jan 28)