[Snort-users] IDS Placement ideas for inside and outside a firewall.

Brei, Matt mbrei at ...8727...
Thu Apr 3 14:19:20 EST 2003


That's exactly why I would want one outside of the firewall.  If I were
to find a successful break in, I could then review logs from the
external IDS and find that the same IP had done several scans or
whatever that were eventually blocked by the firewall and not picked up
by the internal IDS.  I would think that this would help build a better
case if any type of legal action were to be taken. 

 

Matt

 

-----Original Message-----
From: Brian Laing [mailto:Brian.Laing at ...8609...] 
Sent: Thursday, April 03, 2003 11:28 AM
To: 'David Glosser'; Brei, Matt; 'FWAdmin';
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a
firewall.

 

I would agree with this sort of implementation, in many of the installs
I have done I will setup the external sensors to do nothing but logging
and ignore the data till I see something worth looking at on one of the
internal servers.  I use this data to see what else that IP has been
doing or what other things have been attempted against a specific host

 

-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of David
Glosser
Sent: Wednesday, April 02, 2003 11:10 PM
To: Brei, Matt; FWAdmin; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] IDS Placement ideas for inside and outside a
firewall.

 

If you've never set up any IDS before, I'm not sure you would want to
place it outside your firewall immediately You'lll get overwhelmed with
probes,scans, script kiddies etc. 

First place the box (with the "snorting" NIC unnumbered). On the port
monitoring the *internal* interface of your firewall. Let it work on all
of the stuff your firewall lets through. Once you have that under
control, then place another box (or another NIC on the same box) to
monitor your internal servers (since breakins can come from internal
users). 

Once you have these two under control, then you can worry monitoring
stuff outside the firewall,  which I believe is called *attack
detection*. But do you care that much about the stuff your firewall is
successfully blocking?

 

--snip-

	 I am trying to convince my company to implement IDS on our
network but I have a few questions. I know I would want one on both
sides of the firewall, 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030403/2c98cece/attachment.html>


More information about the Snort-users mailing list