IDS Placement
by: Ron DuFresne
(c) 2001
There are two methods common for IDS, one setup places the IDS in front of
the firewall so folks can get those 3AM wakeup calls and notifications and
thus not fall too deeply into rem sleep for long periods, call this method
the self depridation method if you will. That IDS system will be sucking
up packets and seeing all sorts of nasty bits hitting the external
interface and clanging out warnings upon warnings on end, most of the
information passing this IDS setup will be of dubious use, though some
will argue that such an IDS placement is good for telling them what kind
of nasty traffic is out there and banging at their doorstep, yet, the good
firewall/security admin already has a good clue in this area and knows
better.
The second admin knows that what has passed the firewall checks and
balances is of more import and use in determining if the firewall setup is
sufficent for the job it was designed to do, and they will be clued into
the fact that at least 70% of the nasty traffic they are dealing with
originates internally. These folks place the IDS system behind the
firewall, so it tries to catch what might well pass that system and
attempt to cause havock internally, at the same time, this IDS system can
see what the userbase behind the firewall might be trying to pass outside
to raise hell on the internet public at large. These are admins more keen
on getting some of that rem sleep, and not into false positives
interupting their days as well as night and weekends. The companies they
work for have an internal respose team that is adept at dealing with the
internal noise that such a IDS system will be alerting too, and have a
good policy established to define the firewall rules in place and will
seldom hear a peep, if at all, from the IDS about something nasty passing
from the external past the firewall to the soft chewy center of their
networks.
If rem sleep is not important to you, then by all means use the first
scenrio.
| Hosted by: |
|