Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS deployment outside FW?

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: IDS deployment outside FW?
Date: Wed, 11 Aug 2004 11:38:21 -0500 
On Tue, 2004-08-10 at 09:22, Mike Poor wrote:

There is another side to this.  Your external IDS, imho,  should be
focused on what is gettting "OUT" your firewall.  This can tell you a
number of things.  First, it can illustrate the deficiencies in your
outbound firewall policies.  It can also tell you that you have
internal hosts that are infected, and or, extracating data.

So, I would focus your internal IDS on inbound traffic, and your
external IDS on outbound traffic.


I wouldn't generalize like that. If your firewall is configured tightly,
you may not see those abnormal outbound connection attempts of infected
internal machines on your outside IDS. For example, if the firewall does
not allow port 1034 from the inside through, then your external IDS
won't be able to tell if/when you have a MyDoom outbreak.

The IDS on the internal leg of the firewall will provide you with more
information about unexpected outbound traffic than the outside IDS does.

But I agree, the outside IDS will provide important information about
the strength of the outbound firewall rule set, mainly how leaky your
firewall is.

So I dare to say that the best setup consists of one IDS on the internal
side of the firewall and one IDS on the external side, and *both* should
be configured/tuned to monitor and alert on inbound as well as outbound
traffic.

It's important to look both ways before crossing the 'Net.  :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Definition of Zero Day Protection, Joseph Hamm
Next by Date:  Re: Definition of Zero Day Protection, Martin Roesch
Previous by Thread:  Re: IDS deployment outside FW?, Mike Poor
Next by Thread:  e-crime and computer evidence conference - CFP reminder, Angus Marshall
Indexes:  [Date] [Thread] [Top] [All Lists]