[Snort-users] IDS Placement ideas for inside and outside a fi rewall.

FWAdmin FWAdmin at ...8484...
Thu Apr 3 05:33:34 EST 2003


That's a good point, internal IMO is more important than external. It
definitely takes some tuning to get the external IDS working the way you
like. The placement of IDS outside works as an early warning system. Sure
your firewall may be blocking the initial attack traffic, but it may lead up
to something that could get through if no action is taken. I don't know
about anyone else, but I don't sit in front of Check Point SmartView Tracker
24x7 and watch logs for attacks :) I check them once a day. So in the 24
hour period between the checks, who knows what is going on? Besides,
firewalls don't do a great job of detecting intrusions and giving
information as to what's going on. And they shouldn't. That's really not the
purpose of a firewall.
 
        -Jason

-----Original Message-----
From: David Glosser [mailto:david_glosser at ...131...] 
Sent: April 3, 2003 03:10
To: Brei, Matt; FWAdmin; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] IDS Placement ideas for inside and outside a
firewall.


If you've never set up any IDS before, I'm not sure you would want to place
it outside your firewall immediately You'lll get overwhelmed with
probes,scans, script kiddies etc. 
First place the box (with the "snorting" NIC unnumbered). On the port
monitoring the *internal* interface of your firewall. Let it work on all of
the stuff your firewall lets through. Once you have that under control, then
place another box (or another NIC on the same box) to monitor your internal
servers (since breakins can come from internal users). 
Once you have these two under control, then you can worry monitoring stuff
outside the firewall,  which I believe is called *attack detection*. But do
you care that much about the stuff your firewall is successfully blocking?
 
--snip-

 I am trying to convince my company to implement IDS on our network but I
have a few questions. I know I would want one on both sides of the firewall,



------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le present courriel (y compris toute piece jointe) s'adresse uniquement a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon.
Si vous avez recu le present courriel par erreur, priere de communiquer avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030403/7e86f579/attachment.html>


More information about the Snort-users mailing list