Re: IDS deployment outside FW?

[Frank Knobbe <frank () knobbe us>]

On Tue, 2004-08-10 at 09:22, Mike Poor wrote:
> There is another side to this.  Your external IDS, imho,  should be
> focused on what is gettting "OUT" your firewall.  This can tell you a
> number of things.  First, it can illustrate the deficiencies in your
> outbound firewall policies.  It can also tell you that you have
> internal hosts that are infected, and or, extracating data.
>
> So, I would focus your internal IDS on inbound traffic, and your
> external IDS on outbound traffic.

I wouldn't generalize like that. If your firewall is configured tightly,
you may not see those abnormal outbound connection attempts of infected
internal machines on your outside IDS. For example, if the firewall does
not allow port 1034 from the inside through, then your external IDS
won't be able to tell if/when you have a MyDoom outbreak.

The IDS on the internal leg of the firewall will provide you with more
information about unexpected outbound traffic than the outside IDS does.

But I agree, the outside IDS will provide important information about
the strength of the outbound firewall rule set, mainly how leaky your
firewall is.

So I dare to say that the best setup consists of one IDS on the internal
side of the firewall and one IDS on the external side, and *both* should
be configured/tuned to monitor and alert on inbound as well as outbound
traffic.

It's important to look both ways before crossing the 'Net.  :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part