IDS Placement on the network
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: IDS Placement on the network

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    5

    IDS Placement on the network

    What would you think as the ideal placement of an IDS on the network. The ideal way I would think is immediately after the firewall and before the main router. One of my colleagues suggested placement of the IDS before the firewall. I am not sure. COuld you give me suggestions on where an ideal placement would be. Also could IDS and the firewall data correlate with each other in creating a more dynamic security policy?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    After the firewall would be a good location for it because it eliminates seeing all the other traffic out there and there's a lot of traffic that would pass by. The IDS' placement after the firewall (or even after the main router) are good locations as it will detect attacks that manage to get pass the firewall (acting as an alarm system). Tying the firewall and IDS together could work but you do run into risks with false positives, which might cause your firewall to close more ports than necessary. Personally, I'm a firm believer in having a human check things and doing the alterations as technology can only go so far. As a random example, if an attacker was particularly out to cause damage he could "spoof" an attack as if it comes from your DNS and thus cause the IDS to tell the firewall to ignore anything from the DNS.

    Which IDS are you implementing?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    I prefer to use a layered defence, by placing an IDS in front of the Firewall and another IDS behind the Firewall. In my environment, I need to know when we are receiving a sustained attack, thus the IDS placed outside the Firewall. Because of the Firewall rulebase dropping particular packets/connections on the Firewall, I may not be aware of an attack against the Firewall itself or devices behind the firewall where the attack is blocked at the Firewall. (lots of noise though) The second IDS lets me know what potential attacks have made it through the firewall and into the DMZ in question.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm with OverdueSpy on this one. A stealth NIDS on the outside of the firewall and a non-stealthed NIDS on the inside. I can see what traffic comes at and passes through my firewall which is a firewall rules check in itself.

    The stealthed NIDS outside the firewall also has an additional benefit in that it sees all traffic regardless of the firewall but it's detection is very difficult. Basically you have to own the border router or the firewall to detect it's presence and the detection can be a hit or miss affair. Therefore, in the event of a successful compromise and disabling of the "locatable" NIDS the attacker may simply carry on with his "job" thinking that he has disabled my security systems. That would be a mistake.... The fact that it is outside the firewall ensures that I catch all the traffic still because that is the "choke point" all his traffic _must_ pass through in a remote compromise.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Member
    Join Date
    Dec 2003
    Posts
    41
    I disabled all network related services on my fast XP box and put two NICs on it. One pluged behind the firewall and one outside. I am running two instances of Snort and snort is logging to mysql database located behind the NAT. The inside card has a legit IP/subnet, and the outside card has a bogus IP. With everything disabled, the box shows no signs of existance on the outside NIC. I guess I could have used redhat and have no IP on the outside as opposed to a bogus one, but I am just more familiar with disabling services in windows as opposed to securing redhat.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tarpi:

    Disable all protocols on the outside NIC.... Then it is stealthed. WinPCAp will still open the NIC for use without risk of transmission
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Mar 2004
    Posts
    1
    Hi Everyone -- it's my first post here and I would like to comment . While having a NIDS on both sides is ideal, most smaller customers (ones with 5 servers or less) would find it difficult to cost justify this particular scenario. Most environments would do well with one, while having a good admin running some kind of sniffer tool could keep track of any suspicious traffic that may get past a firewall and/or NIDS and be a little less expnsive at the same time (at least the software-based ones would be anyway). Just my 2 cents.....

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    While having a NIDS on both sides is ideal, most smaller customers (ones with 5 servers or less) would find it difficult to cost justify this particular scenario.
    Hrmm.. Snort with PHP/MySQL on FreeBSD box cost me $50 (for the box -- a pentium 100 w/64MB of ram). If you think superlarge servers, then yes cost can be an issue but if you get creative, it doesn't necessarily have to be.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    whta: Ms. Mittens, as usual, is right. There is a ton you can do for free and it doesn't have to be in a open source environment. I do have a "bigger" network but I also work for a non-profit so cash isn't exactly "flowing".

    My tutorial on Secure Central Logging found here shows a fairly complex system but you will note that outside the hardware cost my only cost was time. The hardware costs could be cut significantly commensurate with the perceived risk/tolerance level yet still provide a cost effective yet secure system for even a small shop.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Junior Member
    Join Date
    Mar 2004
    Posts
    5
    sorry i am late at looking for responses and replying. I was inundated with work this morning. the past 2 days has been practically immersed in a sea of reseach and stuff. anyway we are implementing a e-trust IDS on a enterprise wide basis. I did speak about this issue to a few people. We are leaning towards putting it just behind the firewall and before the main router. Then again, we will truly know only during deployment which will happen in a couple of weeks time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •