Firewall Wizards mailing list archives

RE: DMZ best practices

From: Dominique Brezinski <dom_brezinski () securecomputing com>
Date: Fri, 22 Jan 1999 01:05:22 -0800

At 09:11 AM 1/22/99 +0100, Security wrote:

Of course, an ID sensor outside the firewall is potentially vulnerable. When
the ID sensor has a second NIC you can monitor a network segment with no
protocol stack involved (on the first NIC) while also using an out-of-band
channel (on the second NIC) for communication with the ID sensor. When there
is a firewall between the second NIC and the internal network, you have a
well-protected ID configuration. I have seen several discussions about
cutting the transmit wires of the cable between the ID sensor and the
monitored network. In this case, the ID sensor is physically secured.


All true, except that many (most?) NICs have issues with the transmit pair
cut, or so I hear.  There was a discussion about this sometime ago on this
list I think.  There are, however, big vulnerabilities that exist in the
functional relationships between IDS and firewalls they can
actively/reactively configure.  It would be inappropriate to discuss those
at the current time.

You can monitor the DMZ with a sensor inside the DMZ. This is a proper
solution, but in my opinion, a well-protected sensor outside the firewall
does the same.


My question is not whether it can be done, but rather is it actually useful
or sane.  I think my opinion is clear enough from my other posts on the
subject.  We are all entitled to our own.  It is a very rare customer that
I would design a security perimeter for that included an ID sensor outside
the first perimeter defense.  It would just waste my customer's time to try
and analyze and chase down all that they would see, when a vast majority of
it is being repelled by their first perimeter defense.  I might get a
thrill watching it on my own network, but I am a techy individual (clearly
insane ;) - not a company or organization.

This is just my opinion.

Dominique Brezinski CISSP                   (206) 898-8254
Secure Computing        http://www.securecomputing.com

Current thread:

Re: DMZ best practices, (continued)
- Re: DMZ best practices Bill_Royds (Jan 19)
  - RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
  - Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
  - RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)
  - Re: RE: DMZ best practices Joseph S D Yao (Jan 26)
- RE: DMZ best practices Security (Jan 26)
  - RE: DMZ best practices Dominique Brezinski (Jan 26)
  - RE: DMZ best practices David LeBlanc (Jan 27)
- DMZ best practices Arjen Rijpma (Jan 26)
- RE: DMZ best practices John Kozubik (Jan 28)