IDS mailing list archives

Re: IDS deployment outside FW?

From: <templeofprs () hotmail com>
Date: 9 Aug 2004 21:50:01 -0000

In-Reply-To: <BAY19-F385a0q6AGvN4000177b6 () hotmail com>

Having your IDS on the outside of your firewalls does not tell you what is getting through your firewalls. It does not 
help you from an IDS perspective... just assume that everything is going to hit the outside of your firewall (every 
random sweep or port scan). If your firewalls are bounded by IDS and you correlate both aspects with your firewall logs 
you have a clearer picture of what your threats look like.


Dear List

I have moved into an organization that has two RealSecure Network Sensors 
and a network architecture that is VLANd/DMZd to where localized deployment 
to capture traffic would require 8 to 12 sensors to avoid bridging loops.

The cheapest/simplest option (without deploying SNORT/Prelude, etc - the 
organization wants to remain on a single application architecture where 
possible) is to place the two sensors outside of the firewall.

I understand that this means:
The sensors will be in hostile territory and need to be maintained to a very 
high degree
There will be an operations overhead of dealing with all of the noise that 
would normally be filtered by a firewall

Does anyone have experience of doing this?
Are there any other issues that I have not considered?

Chris

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

IDS deployment outside FW? Chris Conacher (Aug 09)
- Re: IDS deployment outside FW? Dr Bit Bucket (Aug 10)
- <Possible follow-ups>
- Re: IDS deployment outside FW? templeofprs (Aug 10)
  - Re: IDS deployment outside FW? Mike Poor (Aug 11)
    - Re: IDS deployment outside FW? Frank Knobbe (Aug 11)