[Snort-users] IDS Placement ideas for inside and outside a firewall.

David Glosser david_glosser at ...131...
Wed Apr 2 22:54:58 EST 2003

MessageIf you've never set up any IDS before, I'm not sure you would want to place it outside your firewall immediately You'lll get overwhelmed with probes,scans, script kiddies etc. 
First place the box (with the "snorting" NIC unnumbered). On the port monitoring the *internal* interface of your firewall. Let it work on all of the stuff your firewall lets through. Once you have that under control, then place another box (or another NIC on the same box) to monitor your internal servers (since breakins can come from internal users). 
Once you have these two under control, then you can worry monitoring stuff outside the firewall,  which I believe is called *attack detection*. But do you care that much about the stuff your firewall is successfully blocking?

   I am trying to convince my company to implement IDS on our network but I have a few questions. I know I would want one on both sides of the firewall, 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030402/b2c08238/attachment.html>

More information about the Snort-users mailing list