Security Basics mailing list archives

RE: IDS question [was: Re: Firewall and DMZ topology]

From: John Brightwell <brightwell_151 () yahoo co uk>
Date: Mon, 16 Jun 2003 16:34:56 +0100 (BST)

I wasn't completely clear in my last e-mail.  I was

thinking more

along the lines of having the IDS in the DMZ.  Any

attacks that get

past the outside firewall to the DMZ hosts would be

caught by the

IDS in the DMZ.  The attacks that don't make it past

the external

firewall into the DMZ would be much less of a

concern.  Kind of a

"let them knock on the door, but only deal with the

ones who try to

forcefully enter" line of thinking.  Configuring the

external IDS to

monitor outgoing traffic would let you monitor your

own hosts for

unusual behavior.


I agree that the most important place to locate an IDS
is inside the firewall, however, there can be an
advantage in letting an IDS see the traffic before
filtering by the fiorewall - it can be easier for the
IDS to recognise attack signatures and you get advance
warning of a concerted attack. 
You have the information in your firewall logs I
guess, but I prefer to let an IDS see the whole lot.

Previously I have installed an IDS (snort) outside the
firewall which sat there analyzing the attack
signatures and which I tried to look at as often as
possible (it would send alerts, but I didn't have it
set to paranoid mode) - but I had a different IDS
(commercial) which monitored the filtered traffic and
which was set to alert (send SMS and email with
paranoid mode engaged) if it suspected an intrusion.

It's definitely worth monitoring the outbound traffic
as that may indicate whether you have trojan software
(or a worm) lurking.

Other implementations use a single IDS but with
multiple interfaces including external and internal
firewall interfaces (or multiple network taps feeding
into a hub which is monitored by the IDS)

__________________________________________________
Yahoo! Plus - For a better Internet experience
http://uk.promotions.yahoo.com/yplus/yoffer.html

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

RE: IDS question [was: Re: Firewall and DMZ topology] Mann, Bobby (Jun 12)
- RE: IDS question [was: Re: Firewall and DMZ topology] Steve Bremer (Jun 12)
- <Possible follow-ups>
- Re: IDS question [was: Re: Firewall and DMZ topology] Chris Berry (Jun 12)
- RE: IDS question [was: Re: Firewall and DMZ topology] John Brightwell (Jun 16)