Snort mailing list archives
RE: IDS Placement ideas for inside and outside a firewall.
From: "Brian Laing" <Brian.Laing () Blade-Software com>
Date: Thu, 3 Apr 2003 14:57:50 -0800
It can help, but I would not rely on it for prosecution the fact is the data is too easy to spoof and is not collected in a forensically sound manager either at the sensor or the management console. By forensically sound I mean certified to be free from tampering. Not that this data wont help your case, but its better to rely on it to see where and into what else the attacker may have gotten into. ------------------------------------------------------------------- Brian Laing CTO Blade Software Cellphone: +1 650.280.2389 Telephone: +1 650 367.9376 eFax: +1 208.575.1374 Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com ------------------------------------------------------------------- -----Original Message----- From: Brei, Matt [mailto:mbrei () medclaiminc com] Sent: Thursday, April 03, 2003 2:18 PM To: brian.laing () blade-software com; David Glosser; FWAdmin; snort-users () lists sourceforge net Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall. That's exactly why I would want one outside of the firewall. If I were to find a successful break in, I could then review logs from the external IDS and find that the same IP had done several scans or whatever that were eventually blocked by the firewall and not picked up by the internal IDS. I would think that this would help build a better case if any type of legal action were to be taken. Matt -----Original Message----- From: Brian Laing [mailto:Brian.Laing () Blade-Software com] Sent: Thursday, April 03, 2003 11:28 AM To: 'David Glosser'; Brei, Matt; 'FWAdmin'; snort-users () lists sourceforge net Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall. I would agree with this sort of implementation, in many of the installs I have done I will setup the external sensors to do nothing but logging and ignore the data till I see something worth looking at on one of the internal servers. I use this data to see what else that IP has been doing or what other things have been attempted against a specific host ------------------------------------------------------------------- Brian Laing CTO Blade Software Cellphone: +1 650.280.2389 Telephone: +1 650 367.9376 eFax: +1 208.575.1374 Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com ------------------------------------------------------------------- -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of David Glosser Sent: Wednesday, April 02, 2003 11:10 PM To: Brei, Matt; FWAdmin; snort-users () lists sourceforge net Subject: Re: [Snort-users] IDS Placement ideas for inside and outside a firewall. If you've never set up any IDS before, I'm not sure you would want to place it outside your firewall immediately You'lll get overwhelmed with probes,scans, script kiddies etc. First place the box (with the "snorting" NIC unnumbered). On the port monitoring the *internal* interface of your firewall. Let it work on all of the stuff your firewall lets through. Once you have that under control, then place another box (or another NIC on the same box) to monitor your internal servers (since breakins can come from internal users). Once you have these two under control, then you can worry monitoring stuff outside the firewall, which I believe is called *attack detection*. But do you care that much about the stuff your firewall is successfully blocking? --snip- I am trying to convince my company to implement IDS on our network but I have a few questions. I know I would want one on both sides of the firewall,
Current thread:
- IDS Placement ideas for inside and outside a firewall. Brei, Matt (Apr 02)
- <Possible follow-ups>
- RE: IDS Placement ideas for inside and outside a firewall. Brei, Matt (Apr 02)
- RE: IDS Placement ideas for inside and outside a firewall. Drew Stockman (Apr 02)
- RE: IDS Placement ideas for inside and outside a firewall. Brei, Matt (Apr 02)
- RE: IDS Placement ideas for inside and outside a firewall. Brei, Matt (Apr 02)
- Re: IDS Placement ideas for inside and outside a firewall. David Glosser (Apr 02)
- RE: IDS Placement ideas for inside and outside a firewall. Brian Laing (Apr 03)
- Re: IDS Placement ideas for inside and outside a firewall. David Glosser (Apr 02)
- RE: IDS Placement ideas for inside and outside a firewall. Brei, Matt (Apr 03)
- RE: IDS Placement ideas for inside and outside a firewall. Brian Laing (Apr 03)
- Re: IDS Placement ideas for inside and outside a firewall. David Glosser (Apr 03)