Security Basics mailing list archives
RE: IDS question [was: Re: Firewall and DMZ topology]
From: "Mann, Bobby" <bmann () forzani com>
Date: Thu, 12 Jun 2003 12:03:34 -0600
External IDS can be inline or passive sitting on a span port. For any ISP or hosting facility bandwidth, routers and servers are a big issue. IDS is very important if you have a 99.999% SLA with your clients, you don't want to take any chances with any sort of downtime. So in my opinion I think it's important to monitor critical segments in any network. Especially, external (who's knocking on your door) methodology. But that depends on your need and requirements. for small business IDS maybe too much (cost vs. benefit), plus PIX and Cisco routers have built in IDS (IP audit rules) to watch 50 critical signatures. But a company with no SLA and uptime requirements of 99.9% or more may not need IDS. Can the company be down for a few hours out of the year in case of an attack? Another thing, if you get bandwidth from a major ISP you can ask them to rate limit (CAR) ICMP and udp traffic and have them black hole other traffic when necessary. Medium size businesses should think about it and conduct an impact analysis. Enterprise companies should have IDS outside/inside. Too much liability to the shareholders if something goes south. Need to be proactive no matter what company you work at. However in an enterprise company it's important to show anything you can on paper to the shareholders and the executive team. Plus, with inline IDS you can program your own signatures and block them from coming in. Remember Code-Red and others? Well it can be blocked at the gateway using NBAR or inline IDS. Big performance impact but your still within the SLA. Since the virus changes faces you must be able to pick it up. At the end of the day I am right down the center with IDS. But IDS is no good to admins that don't have policies, procedures and the ability to react or just don't give damn. Companies need to have the ability to react within 5 minutes to an attack. The IDS needs to be on every critical network segment at the least. Anyways that's just my opinion and I have done a lot of security work and high availability designs. -----Original Message----- From: Steve Bremer To: security-basics () securityfocus com Sent: 6/12/03 5:56 AM Subject: IDS question [was: Re: Firewall and DMZ topology]
tri-homed firewall, more so if you have IDS sensors at exterior, dmz, and interior, and the time to monitor them.
Changing subjects a little bit here. I agree with our IDS comment, but I'm curious about how your external IDS is used. I've ran into differing opinions on this (as I do with most things security related ;-), but I I don't think that I would want the external IDS monitoring incoming traffic. Why? Because it would be going off all the time. As many times as we're probed during the day, the IDS sensor would be in a constant state of sending alerts. Yes, you could adjust the rules to reduce this, but then what is the point of having the IDS sensor there? However, I believe the external IDS sensor should be there to monitor traffic leaving your external firewall so you can see if one of your internal or DMZ hosts have been compromised. What do you think? Steve Bremer NEBCO, Inc. System & Security Administrator ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: IDS question [was: Re: Firewall and DMZ topology] Mann, Bobby (Jun 12)
- RE: IDS question [was: Re: Firewall and DMZ topology] Steve Bremer (Jun 12)
- <Possible follow-ups>
- Re: IDS question [was: Re: Firewall and DMZ topology] Chris Berry (Jun 12)
- RE: IDS question [was: Re: Firewall and DMZ topology] John Brightwell (Jun 16)