Re: IDS deployment outside FW?

[Mike Poor <mike () digitalguardian net>]

I agree with your concept of 'differential IDS/Firewall analysis'.  I have long been a proponent of using your firewall 
logs as your external IDS, logging everything that is being dropped.  That way your inside IDS can tell you what got 
through.

There is another side to this.  Your external IDS, imho,  should be focused on what is gettting "OUT" your firewall.  
This can tell you a number of things.  First, it can illustrate the deficiencies in your outbound firewall policies.  
It can also tell you that you have internal hosts that are infected, and or, extracating data.

So, I would focus your internal IDS on inbound traffic, and your external IDS on outbound traffic.

As far as other issues you may not have considered... Think about your security posture, and what you are trying to 
protect.

If your main IDS is one hop inside your firewall, it is an "umbrella" ids.  This IDS has the responsibility of catching 
every possible attack at every possible OS and configuration.  That, again imho, is not very realistic.  I would 
recommend taking that second sensor and 'focusing' its deployment.  Place it on your internet facing services segment 
(web, dns, mail, etc) and tailor its config and rule set (trons module, etc) to the OS'es and Apps that you are 
running.  The data on this IDS will be of better quality, and more important then the 'umbrella' IDS.


Mike Poor


On Mon, Aug 09, 2004 at 09:50:01PM -0000, templeofprs () hotmail com wrote:
> In-Reply-To: <BAY19-F385a0q6AGvN4000177b6 () hotmail com>
>
> Having your IDS on the outside of your firewalls does not tell you what is getting through your firewalls. It does 
> not help you from an IDS perspective... just assume that everything is going to hit the outside of your firewall 
> (every random sweep or port scan). If your firewalls are bounded by IDS and you correlate both aspects with your 
> firewall logs you have a clearer picture of what your threats look like.
>
> > Dear List
> >
> > I have moved into an organization that has two RealSecure Network Sensors 
> > and a network architecture that is VLANd/DMZd to where localized deployment 
> > to capture traffic would require 8 to 12 sensors to avoid bridging loops.
> >
> > The cheapest/simplest option (without deploying SNORT/Prelude, etc - the 
> > organization wants to remain on a single application architecture where 
> > possible) is to place the two sensors outside of the firewall.
> >
> > I understand that this means:
> > The sensors will be in hostile territory and need to be maintained to a very 
> > high degree
> > There will be an operations overhead of dealing with all of the noise that 
> > would normally be filtered by a firewall
> >
> > Does anyone have experience of doing this?
> > Are there any other issues that I have not considered?
> >
> > Chris
> >
> > _________________________________________________________________
> > It's fast, it's easy and it's free. Get MSN Messenger today! 
> > http://www.msn.co.uk/messenger
> >
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from CORE
> > IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> > --------------------------------------------------------------------------
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------