Firewall Wizards mailing list archives
Re: IDS outside of firewall?
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Mon, 03 Aug 1998 18:29:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Rik Farrow <rik () spirit com> wrote:
If one has the time to watch the outside of the firewall looking for new and exotic attacks or scans, I suppose having a listening post on the Internet side of a firewall makes sense. But for most organizations, this sounds like a waste of money. The only thing an IDS system will do there is appear very exciting, because it will detect lots of probes every day.
I ocassionally find it soothing to scan through logs full of script kiddies thwapping their cookbooks against a firewall. It's a bit like listening to a thunderstorm while in bed at night. But that's just me. More pragmatically: -You can reimpliment any inbound traffic filters you have on your firewall such that any traffic which causes an alert on the firewall should also cause an alert on the sensor. If you get one or the other but not both, something's amiss---sort of the compliment to the canonical internal IDS burglar alarm. -If you have anything out in your DMZ which isn't behind a firewall, an external IDS sensor can be a(nother) good way to keep tabs on who's talking to it. -Schlep the data into a database for trend analysis. Commit statistics. -Hold onto the data for [malleable time peroid]. If you discover via some non-buzzword-compliant means that a machine was compromised, a record of the traffic between the compromised box and the Outside World---including anything before or after the compromise which was blocked at the firewall---might prove useful. -Bigger nets catch more butterflies. If you keep a list of addresses which have caused you headaches (or which have made a concerted effort to cause you headaches), external IDS sensors are a good way to keep your list populated. Also, I generally find that the resources that need to be devoted to an external IDS sensor are, mod logistical difficulties, considerably smaller than those associated with internal IDS sensors. The most obvious reason for this is bandwidth---most internal sensors I use simply see a hell of a lot more packets than sensors I have sitting out in the DMZ or beyond. And, depending on what the segmentation of your internal network looks like and whether or not you're worried about internal traffic, evaluating what is and not worth further investigation can be much more difficult when looking at internal traffic than it is with external traffic. Stephen P. Berry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNcZjxCrw2ePTkM9BAQEhdwQA0eokG8Z7wcEhiwGeSRY8ssGoV6n/IFKf 78MzrmKyPXisHnz8FigNu/9MxBlEkWM9ONK11k2slEn8vo8FEUL4iODJbD96czBh nQTYrUIobgHsJAxZuuOWrGeRItCl2XvlQBv6BE9aFwzLqlq5WljbFXJNdQxeW859 Pd/EpzhN9wk= =TiQ0 -----END PGP SIGNATURE-----
Current thread:
- IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
- Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jeff Maddox (Aug 04)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Paul Howell (Aug 04)
- Re: IDS outside of firewall? ark (Aug 05)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 06)