Firewall Wizards mailing list archives
Re: IDS collection in the DMZ, or in the dirty segment?
From: "Matt McClung, CCSA/CCSE" <mmcclung () ndwcorp com>
Date: Wed, 27 Jan 1999 10:17:55 -0700
I have yet to read someone post the idea that you CAN install more than one IDS in your network. I have yet to see any hard case for not putting and IDS in the DMZ, Service Network, Extranet or Internal network. The biggest drawback to this is capital. You can centrally manage and monitor all IDS boxes which relieve the management headache and you are able to cover all areas which really should be covered (Those I mentioned). Matt McClung Net.Works Security Engineer mmcclung () ndwcorp com -----Original Message----- From: John Kozubik <john_kozubik_dc () hotmail com> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Tuesday, January 26, 1999 1:40 PM Subject: IDS collection in the DMZ, or in the dirty segment?
I must disagree with dominique who suggested that the IDS data collection unit be placed in the dirty segment (the public servers behind the third nic in the firewall) as opposed to placing it in the DMZ (between the firewall and the outside world). The reason is that although you have the dirty segment off of a third nic, and with a less stringent security policy than the machines off of the second nic, it doesn't mean you have no security policy at all - most likely (hopefully) you are still doing some basic filtering to the machines in the dirty segment. Therefore, the IDS collection unit will not see the packets that you are filtering that won't make it into the dirty segment. Please refer to my other post on the benefits of detecting packets and requests that you are already firewallig against for information on why this is important. It is my opinion that the only place for the IDS data collection machine is in the DMZ. That said, although I have never seen it in action, in the same way that you can utilize multiple firewalls, you can also utilize multiple IDS in one network, and I can imagine one or two bizarre scenarios where it might help to have another collection box in the dirty segment as well as in the DMZ. I have gotten a lot of flack here for talking about bizarre cases though, so I won't go into it :) kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- IDS collection in the DMZ, or in the dirty segment? John Kozubik (Jan 26)
- <Possible follow-ups>
- Re: IDS collection in the DMZ, or in the dirty segment? Matt McClung, CCSA/CCSE (Jan 27)
- Re: IDS collection in the DMZ, or in the dirty segment? Drexx D. Laggui (Jan 28)
- Re: IDS collection in the DMZ, or in the dirty segment? John Kozubik (Jan 28)
- Re: IDS collection in the DMZ, or in the dirty segment? stranded lemming (Jan 29)