Firewall Wizards mailing list archives
IDS data collection, and firewall(s) (was RE: DMZ best practices, blah, blah)
From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Tue, 19 Jan 1999 22:27:54 PST
dom_brezinski, Please accept my apologies for not elaborating further in a previous post - you are correct in noting that placing all machines behind one firewall constitutes a security hole in itself, and certainly does go against much of the literature which explains that attacked hosts should not serve as jumping off points for attacks on deeper machines. Rather than pigeonhole the observer in a 'one network, one fireall' world, I was trying to generalize a bit more. I use multiple levels of firewalls, as do many of the users on this list, I am sure. As far as IDS data collection machines go, I will not voice my own opinion, but rather refer you to the CIDER documents at: http://www.nswc.navy.mil/ISSEC/CID/ This will explain two _very_ popular methods of IDS - Network Flight Recorder, and the STEP system. Suffice to say that in NFR, the data collection machine and the analysis machine are all rolled into one, and it sits in the DMZ, whereas in STEP, they are seperate machines - the collection unit sits in the DMZ, whereas the analysis machine is behind a firewall. YMMV, of course, but generally, the data collectioon portion of these IDS' sits in the DMZ, and if you only have one firewall, yes, that means it is un-firewalled. As far as using 'elaborate' IDS mechanisms like this with success, I would invite anyone on this list to email me at: john_kozubik () hotmail com (_not_ the address this comes from...) to discuss the implementation and maintenance of such systems, as they are part of my network topology, and I am having success with them. Again, sorry for the mix-up, etc. - I would be the first to emphasize all of the points you made when speaking in relation to a one-firewall network. I missed the point when my rant about DMZ nomenclature turned into a serious discussion, and am now paying the price for my flippancy :) kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- IDS data collection, and firewall(s) (was RE: DMZ best practices, blah, blah) John Kozubik (Jan 20)