2.5 Where's a good place to physically put a Snort sensor?
This is going to be heavily influenced by your organizations policy, and what
you want to detect. One way of looking at it is determining if you want to
place it inside or outside your firewall. Placing an IDS outside of your
firewall will allow you monitor all attacks directed at your network,
regardless of whether or not they are stopped at the firewall. This almost
certainly means that the IDS will pick up on more events than an IDS inside the
firewall, and hence more logs will be generated. Place an IDS inside your
firewall if you are only interested in monitoring traffic that your firewall
let pass. If resources permit, it may be best to place one IDS outside and one
IDS inside of your firewall. This way you can watch for everything directed at
your network, and anything that made it's way in.
ADDENDA AD NAUSEUM
Note: So this one still gets a lot of traffic even though it's in the FAQ. Erek
Adams has noted this comprehensive and authoritative discussion of this
perpetual discussion item - mildly edited, also see faq question about switches
hubs and taps -dr
If your router/switch can do port mirroring then just connecting a network IDS
to it would be fine. Else a hub could be another option. Most of network IDS
can have a NIC that acts as a passive sniffer anyway.
As to where to place the sensor. I would go for both, one to monitor the
external, one for the internal. I work in a distributor for security products,
so over instrumentation is fun
And in any case, if the traffic do not pass
by the Sensor it will not get monitored. So some people deploy IDS on their
internal segments too I believe.
In ``front'' of the firewall(s):
Pro: Higher state of alert you know what attacks you are facing.
Con: Wall to Wall of data, boring? If your firewall has NAT turned on, tracking
the sources originating from your internal network is difficult.
``Behind'' the firewall(s):
Pro: Only what gets through the firewall gets monitored? Less load on the IDS
analyst. You get to see what hosts are sending traffic to the internet.
Con: Less idea of the state of the environment, false sense of safety.
Where should IDS be placed relative to firewalls? Explore the pros and cons off
placing IDS inside or outside firewall. What are the drawbacks of each?
* MARCUS RANUM from NFR Security: "I'd put mine inside. Why should I care if
someone is attacking the outside of my firewall? I care only if they
succeed, which my IDS on the inside would ideally detect. Placing the IDS
on the outside is going to quickly lull the administrator into complacency.
I used to have a highly instrumented firewall that alerted me whenever
someone attacked it. Two weeks later I was deleting its alert messages
without reading them. Another important factor arguing for putting it
inside is that not all intrusions come from the outside or the firewall. An
IDS on the inside might detect new network links appearing, or attackers
that got in via another avenue such as a dial-in bank.''
* CURRY from IBM: ``The IDS should be placed where it will be able to see as
much of the network traffic you're concerned about as possible. For
example, if you're concerned about attacks from the Internet, it makes the
most sense to put the IDS outside the firewall. the most sense to put the
IDS outside the firewall. This gives it an "unobstructed" view of
everything that's coming in. If you put the IDS inside the firewall, then
you're not seeing all the traffic the bad guys are sending at you, and this
may impact your ability to detect intrusions.''
* SUTTERFIELD from Wheel Group: ``IDS ideally plays an important role both
inside and outside a firewall. Outside a firewall, IDS watches legitimate
traffic going to public machines such as e-mail and Web servers. More
importantly IDS outside a firewall will see traffic that would typically be
blocked by a firewall and would remain undetected by an internal system.
This is especially important in detecting network sweeping which can be a
first indication of attack. External systems will also give you the benefit
of monitoring those services that firewalls determine are legitimate.
Putting an IDS inside the firewall offers the added benefit of being able
to watch traffic internal to the protected network. This adds an important
element of protection against insider threats. The major drawback of IDS
inside a firewall is that it cannot see a good deal of important traffic
coming from untrusted networks and may fail to alert on obvious signals of
an impending attack.''
* CHRIS KLAUS from ISS: ``Outside the firewall is almost always a good
idea-it protects the DMZ devices from attack and dedicates an additional
processor to protecting the internal network. Just inside the firewall is
also useful-it detects attempts to exploit the tunnels that exist through
the firewall and provides an excellent source of data for how well your
firewall is working. Throughout your intranet may be the best place for IDS
deployment, however. Everyone agrees that attacks aren't the only things
we're worried about-there's internal mischief, fraud, espionage, theft, and
general network misuse. Intrusion detection systems are just as effective
inside the network as outside, especially if they're unobtrusive and easy
* GENE SPAFFORD: ``The IDS must be inside any firewalls to be able to detect
insider abuse and certain kinds of attacks through the firewall. IDS
outside the firewall may be useful if you want to monitor attacks on the
firewall, and to sample traffic that the firewall doesn't let through.
However, a true IDS system is likely to be wasted there unless you have
some follow-through on what you see.''
* Bottom Line:
DRAGOS RUIU: ``just pick a spot you're likely to look at the logs for :-)''