Re: IDS Placement ideas for inside and outside a firewall.

["David Glosser" <david_glosser () yahoo com>]

MessageWhat if a host was compromised and your snort didn't pick it up (say b/c snort was down, a ras server was used, 
or a malicious end-user). Then that server probes and compromises other servers...  The sensor would never pick it up, 
since it is only monitoring the firewall....

----- Original Message ----- 
  From: Ponte, Paul F 
  To: 'snort-users () lists sourceforge net' 
  Sent: Thursday, April 03, 2003 10:03 PM
  Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall.


  Hi all -
    I'd like to ask your opinions on one part of this question.  When we talk about a sensor on the inside of the 
firewall, I assume that means it can see all traffic on the internal subnet.  But what do you give up if you monitor 
just traffic passing on a VLAN between the firewall and the router sitting between it and the rest of the network?  Is 
this a valid installation?  What's the danger in not monitoring all of the normal host to host traffic on your network 
which doesn't need to cross the firewall?  I'm considering this kind of deployment, so thanks for your opinions on this.

  Paul
    -----Original Message-----
    From: Brian Laing [mailto:Brian.Laing () Blade-Software com] 
    Sent: Thursday, April 03, 2003 5:58 PM
    To: 'Brei, Matt'; 'David Glosser'; 'FWAdmin'; snort-users () lists sourceforge net
    Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall.


    It can help, but I would not rely on it for prosecution the fact is the data is too easy to spoof and is not 
collected in a forensically sound manager either at the sensor or the management console.  By forensically sound I mean 
certified to be free from tampering.  Not that this data wont help your case, but its better to rely on it to see where 
and into what else the attacker may have gotten into.

     

    -------------------------------------------------------------------
    Brian Laing
    CTO
    Blade Software
    Cellphone: +1 650.280.2389
    Telephone: +1 650 367.9376
    eFax: +1 208.575.1374
    Blade Software - Because Real Attacks Hurt
    http://www.Blade-Software.com
    -------------------------------------------------------------------

    -----Original Message-----
    From: Brei, Matt [mailto:mbrei () medclaiminc com] 
    Sent: Thursday, April 03, 2003 2:18 PM
    To: brian.laing () blade-software com; David Glosser; FWAdmin; snort-users () lists sourceforge net
    Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall.

     

    That's exactly why I would want one outside of the firewall.  If I were to find a successful break in, I could then 
review logs from the external IDS and find that the same IP had done several scans or whatever that were eventually 
blocked by the firewall and not picked up by the internal IDS.  I would think that this would help build a better case 
if any type of legal action were to be taken. 

     

    Matt

     

    -----Original Message-----
    From: Brian Laing [mailto:Brian.Laing () Blade-Software com] 
    Sent: Thursday, April 03, 2003 11:28 AM
    To: 'David Glosser'; Brei, Matt; 'FWAdmin'; snort-users () lists sourceforge net
    Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a firewall.

     

    I would agree with this sort of implementation, in many of the installs I have done I will setup the external 
sensors to do nothing but logging and ignore the data till I see something worth looking at on one of the internal 
servers.  I use this data to see what else that IP has been doing or what other things have been attempted against a 
specific host

     

    -------------------------------------------------------------------
    Brian Laing
    CTO
    Blade Software
    Cellphone: +1 650.280.2389
    Telephone: +1 650 367.9376
    eFax: +1 208.575.1374
    Blade Software - Because Real Attacks Hurt
    http://www.Blade-Software.com
    -------------------------------------------------------------------

    -----Original Message-----
    From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
David Glosser
    Sent: Wednesday, April 02, 2003 11:10 PM
    To: Brei, Matt; FWAdmin; snort-users () lists sourceforge net
    Subject: Re: [Snort-users] IDS Placement ideas for inside and outside a firewall.

     

    If you've never set up any IDS before, I'm not sure you would want to place it outside your firewall immediately 
You'lll get overwhelmed with probes,scans, script kiddies etc. 

    First place the box (with the "snorting" NIC unnumbered). On the port monitoring the *internal* interface of your 
firewall. Let it work on all of the stuff your firewall lets through. Once you have that under control, then place 
another box (or another NIC on the same box) to monitor your internal servers (since breakins can come from internal 
users). 

    Once you have these two under control, then you can worry monitoring stuff outside the firewall,  which I believe 
is called *attack detection*. But do you care that much about the stuff your firewall is successfully blocking?

     

    --snip-

       I am trying to convince my company to implement IDS on our network but I have a few questions. I know I would 
want one on both sides of the firewall, 




  The International Fund for Animal Welfare (IFAW -- www.ifaw.org) works to improve the welfare of wild and domestic 
animals throughout the world by reducing commercial exploitation of animals, protecting wildlife habitats, and 
assisting animals in distress. IFAW seeks to motivate the public to prevent cruelty to animals and to promote animal 
welfare and conservation policies that advance the well-being of both animals and people.

  This transmission is intended only for use by the addressee(s) named herein and may contain information that is 
proprietary, confidential and/or legally privileged. If you are not the intended recipient, you are hereby notified 
that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) 
is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy 
the material in its entirety, whether in electronic or hard copy format. Thank you.