Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How should an Internet connection/firewall be designed?

From: Carson Gaspar <carson () taltos org>
Date: Sat, 20 Jan 2007 11:10:33 -0800
Dave Piscitello wrote:

Kaas, David D wrote:


How many companies have an IPS/deep-packet-inspection device between the
firewall and the border router?


I honestly don't see a lot of this and unless there's a specific DOS 
prevention issue, I don't see a lot of point in policing traffic that I 
expect my firewall to block.


Back when I still did security for a living, I was a supporter of having 
an IDS device between your border router and your external firewall. 
However it was not for the reasons most folks might think. I wanted the 
external IDS in logging-only (no alarms) mode, purely for forensic and 
legal purposes. When we saw something funky on our internal/DMZ nets, we 
could look at the external logs to see if it was part of an attack pattern.

Of course there is a cost/benefit analysis that has to be done to 
determine if the data mining is worth the cost of the device.

I agree that anyone who has alarms enabled from an outside-the-firewall 
IDS probably ought to go see a professional about their paranoia issues...

-- 
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: