Firewall Wizards mailing list archives

Re: IDS collection in the DMZ, or in the dirty segment?

From: "Matt McClung, CCSA/CCSE" <mmcclung () ndwcorp com>
Date: Wed, 27 Jan 1999 10:17:55 -0700

I have yet to read someone post the idea that you CAN install more than one
IDS in your network.
I have yet to see any hard case for not putting and IDS in the DMZ, Service
Network, Extranet or Internal network.  The biggest drawback to this is
capital.  You can centrally manage and monitor all IDS boxes which relieve
the management headache and you are able to cover all areas which really
should be covered (Those I mentioned).

Matt McClung
Net.Works Security Engineer
mmcclung () ndwcorp com

-----Original Message-----
From: John Kozubik <john_kozubik_dc () hotmail com>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Tuesday, January 26, 1999 1:40 PM
Subject: IDS collection in the DMZ, or in the dirty segment?

I must disagree with dominique who suggested that the IDS data
collection unit be placed in the dirty segment (the public servers
behind the third nic in the firewall) as opposed to placing it in the
DMZ (between the firewall and the outside world).

The reason is that although you have the dirty segment off of a third
nic, and with a less stringent security policy than the machines off of
the second nic, it doesn't mean you have no security policy at all -
most likely (hopefully) you are still doing some basic filtering to the
machines in the dirty segment.

Therefore, the IDS collection unit will not see the packets that you are
filtering that won't make it into the dirty segment.

Please refer to my other post on the benefits of detecting packets and
requests that you are already firewallig against for information on why
this is important.

It is my opinion that the only place for the IDS data collection machine
is in the DMZ.  That said, although I have never seen it in action, in
the same way that you can utilize multiple firewalls, you can also
utilize multiple IDS in one network, and I can imagine one or two
bizarre scenarios where it might help to have another collection box in
the dirty segment as well as in the DMZ.

I have gotten a lot of flack here for talking about bizarre cases
though, so I won't go into it :)

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

IDS collection in the DMZ, or in the dirty segment? John Kozubik (Jan 26)
- <Possible follow-ups>
- Re: IDS collection in the DMZ, or in the dirty segment? Matt McClung, CCSA/CCSE (Jan 27)
  - Re: IDS collection in the DMZ, or in the dirty segment? Drexx D. Laggui (Jan 28)
- Re: IDS collection in the DMZ, or in the dirty segment? John Kozubik (Jan 28)
  - Re: IDS collection in the DMZ, or in the dirty segment? stranded lemming (Jan 29)