IDS collection in the DMZ, or in the dirty segment?

["John Kozubik" <john_kozubik_dc () hotmail com>]

I must disagree with dominique who suggested that the IDS data 
collection unit be placed in the dirty segment (the public servers 
behind the third nic in the firewall) as opposed to placing it in the 
DMZ (between the firewall and the outside world).

The reason is that although you have the dirty segment off of a third 
nic, and with a less stringent security policy than the machines off of 
the second nic, it doesn't mean you have no security policy at all - 
most likely (hopefully) you are still doing some basic filtering to the 
machines in the dirty segment.

Therefore, the IDS collection unit will not see the packets that you are 
filtering that won't make it into the dirty segment.

Please refer to my other post on the benefits of detecting packets and 
requests that you are already firewallig against for information on why 
this is important.

It is my opinion that the only place for the IDS data collection machine 
is in the DMZ.  That said, although I have never seen it in action, in 
the same way that you can utilize multiple firewalls, you can also 
utilize multiple IDS in one network, and I can imagine one or two 
bizarre scenarios where it might help to have another collection box in 
the dirty segment as well as in the DMZ.

I have gotten a lot of flack here for talking about bizarre cases 
though, so I won't go into it :)

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com