Re: IDS outside of firewall?

["Stephen P. Berry" <spb () meshuga incyte com>]

-----BEGIN PGP SIGNED MESSAGE-----


Rik Farrow <rik () spirit com> wrote:

> If one has the time to watch the outside of the firewall looking for
> new and exotic attacks or scans, I suppose having a listening post
> on the Internet side of a firewall makes sense.  But for most 
> organizations, this sounds like a waste of money.  The only thing
> an IDS system will do there is appear very exciting, because it
> will detect lots of probes every day.  

I ocassionally find it soothing to scan through logs full of script
kiddies thwapping their cookbooks against a firewall.  It's a bit
like listening to a thunderstorm while in bed at night.  But that's
just me.

More pragmatically:

   -You can reimpliment any inbound traffic filters you have on
    your firewall such that any traffic which causes an alert on
    the firewall should also cause an alert on the sensor.
    If you get one or the other but not both, something's amiss---sort
    of the compliment to the canonical internal IDS burglar alarm.
   -If you have anything out in your DMZ which isn't behind a
    firewall, an external IDS sensor can be a(nother) good way to keep tabs
    on who's talking to it.
   -Schlep the data into a database for trend analysis.  Commit statistics.
   -Hold onto the data for [malleable time peroid].  If you discover
    via some non-buzzword-compliant means that a machine was compromised,
    a record of the traffic between the compromised box and the Outside
    World---including anything before or after the compromise which
    was blocked at the firewall---might prove useful.
   -Bigger nets catch more butterflies.  If you keep a list of
    addresses which have caused you headaches (or which have made
    a concerted effort to cause you headaches), external IDS sensors
    are a good way to keep your list populated.


Also, I generally find that the resources that need to be devoted to an
external IDS sensor are, mod logistical difficulties, considerably
smaller than those associated with internal IDS sensors.  The most
obvious reason for this is bandwidth---most internal sensors I use
simply see a hell of a lot more packets than sensors I have sitting
out in the DMZ or beyond.  And, depending on what the segmentation
of your internal network looks like and whether or not you're worried
about internal traffic, evaluating what is and not worth further
investigation can be much more difficult when looking at internal
traffic than it is with external traffic.








Stephen P. Berry


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNcZjxCrw2ePTkM9BAQEhdwQA0eokG8Z7wcEhiwGeSRY8ssGoV6n/IFKf
78MzrmKyPXisHnz8FigNu/9MxBlEkWM9ONK11k2slEn8vo8FEUL4iODJbD96czBh
nQTYrUIobgHsJAxZuuOWrGeRItCl2XvlQBv6BE9aFwzLqlq5WljbFXJNdQxeW859
Pd/EpzhN9wk=
=TiQ0
-----END PGP SIGNATURE-----