[Snort-users] IDS Placement ideas for inside and outside a firewall.

Brian Laing Brian.Laing at ...8609...
Fri Apr 4 07:46:31 EST 2003


Having this sort of implementation can do a couple of things.  First off
it can greatly reduce the amount that one sensor is looking at, since it
only has to keep up with what's going into and out of the firewall.  The
bits that you are missing is internal machines attacking internal
machines, internal machines running unwanted services, unknown access
points into the network, etc.  I have seen some customers who don't care
about that, while most do.  The difficulty is even if you want to look
for all that stuff it can be difficult to impossible to place a single
or small number of sensors in an efficient manner to catch all this
traffic.  If you like you can drop me a line and we can chat off line I
would be happy to look at a network diagram and make some
recommendations.
 
Cheers,
Brian
 
 
-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ponte,
Paul F
Sent: Thursday, April 03, 2003 7:04 PM
To: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a
firewall.
 
Hi all -
  I'd like to ask your opinions on one part of this question.  When we
talk about a sensor on the inside of the firewall, I assume that means
it can see all traffic on the internal subnet.  But what do you give up
if you monitor just traffic passing on a VLAN between the firewall and
the router sitting between it and the rest of the network?  Is this a
valid installation?  What's the danger in not monitoring all of the
normal host to host traffic on your network which doesn't need to cross
the firewall?  I'm considering this kind of deployment, so thanks for
your opinions on this.
 
Paul
-----Original Message-----
From: Brian Laing [mailto:Brian.Laing at ...8609...] 
Sent: Thursday, April 03, 2003 5:58 PM
To: 'Brei, Matt'; 'David Glosser'; 'FWAdmin';
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a
firewall.
It can help, but I would not rely on it for prosecution the fact is the
data is too easy to spoof and is not collected in a forensically sound
manager either at the sensor or the management console.  By forensically
sound I mean certified to be free from tampering.  Not that this data
wont help your case, but its better to rely on it to see where and into
what else the attacker may have gotten into.
 
-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------
-----Original Message-----
From: Brei, Matt [mailto:mbrei at ...8727...] 
Sent: Thursday, April 03, 2003 2:18 PM
To: brian.laing at ...8607...; David Glosser; FWAdmin;
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a
firewall.
 
That's exactly why I would want one outside of the firewall.  If I were
to find a successful break in, I could then review logs from the
external IDS and find that the same IP had done several scans or
whatever that were eventually blocked by the firewall and not picked up
by the internal IDS.  I would think that this would help build a better
case if any type of legal action were to be taken. 
 
Matt
 
-----Original Message-----
From: Brian Laing [mailto:Brian.Laing at ...8609...] 
Sent: Thursday, April 03, 2003 11:28 AM
To: 'David Glosser'; Brei, Matt; 'FWAdmin';
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] IDS Placement ideas for inside and outside a
firewall.
 
I would agree with this sort of implementation, in many of the installs
I have done I will setup the external sensors to do nothing but logging
and ignore the data till I see something worth looking at on one of the
internal servers.  I use this data to see what else that IP has been
doing or what other things have been attempted against a specific host
 
-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of David
Glosser
Sent: Wednesday, April 02, 2003 11:10 PM
To: Brei, Matt; FWAdmin; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] IDS Placement ideas for inside and outside a
firewall.
 
If you've never set up any IDS before, I'm not sure you would want to
place it outside your firewall immediately You'lll get overwhelmed with
probes,scans, script kiddies etc. 
First place the box (with the "snorting" NIC unnumbered). On the port
monitoring the *internal* interface of your firewall. Let it work on all
of the stuff your firewall lets through. Once you have that under
control, then place another box (or another NIC on the same box) to
monitor your internal servers (since breakins can come from internal
users). 
Once you have these two under control, then you can worry monitoring
stuff outside the firewall,  which I believe is called *attack
detection*. But do you care that much about the stuff your firewall is
successfully blocking?
 
--snip-
 I am trying to convince my company to implement IDS on our network but
I have a few questions. I know I would want one on both sides of the
firewall, 



The International Fund for Animal Welfare (IFAW -- www.ifaw.org) works
to improve the welfare of wild and domestic animals throughout the world
by reducing commercial exploitation of animals, protecting wildlife
habitats, and assisting animals in distress. IFAW seeks to motivate the
public to prevent cruelty to animals and to promote animal welfare and
conservation policies that advance the well-being of both animals and
people.

This transmission is intended only for use by the addressee(s) named
herein and may contain information that is proprietary, confidential
and/or legally privileged. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or use
of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030404/6b96931e/attachment.html>


More information about the Snort-users mailing list