Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

IDS data collection, and firewall(s) (was RE: DMZ best practices, blah, blah)

From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Tue, 19 Jan 1999 22:27:54 PST
dom_brezinski,

Please accept my apologies for not elaborating further in a previous 
post - you are correct in noting that placing all machines behind one 
firewall constitutes a security hole in itself, and certainly does go 
against much of the literature which explains that attacked hosts should 
not serve as jumping off points for attacks on deeper machines.
Rather than pigeonhole the observer in a 'one network, one fireall' 
world, I was trying to generalize a bit more.  I use multiple levels of 
firewalls, as do many of the users on this list, I am sure.

As far as IDS data collection machines go, I will not voice my own 
opinion, but rather refer you to the CIDER documents at:

http://www.nswc.navy.mil/ISSEC/CID/

This will explain two _very_ popular methods of IDS - Network Flight 
Recorder, and the STEP system.  Suffice to say that in NFR, the data 
collection machine and the analysis machine are all rolled into one, and 
it sits in the DMZ, whereas in STEP, they are seperate machines - the 
collection unit sits in the DMZ, whereas the analysis machine is behind 
a firewall.  YMMV, of course, but generally, the data collectioon 
portion of these IDS' sits in the DMZ, and if you only have one 
firewall, yes, that means it is un-firewalled.

As far as using 'elaborate' IDS mechanisms like this with success, I 
would invite anyone on this list to email me at:

john_kozubik () hotmail com (_not_ the address this comes from...)

to discuss the implementation and maintenance of such systems, as they 
are part of my network topology, and I am having success with them.

Again, sorry for the mix-up, etc. - I would be the first to emphasize 
all of the points you made when speaking in relation to a one-firewall 
network.  I missed the point when my rant about DMZ nomenclature turned 
into a serious discussion, and am now paying the price for my flippancy 
:)



kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: