>for our web servers we have a screening router with _very_ tight filters
>(allow port 80, 443 to all machines, DNS to one, SMTP to another)
>
>We are wanting to add intrusion detection to this so are planning to put a
>firewall.IDS machine between the router and the switch.
>
>The thing that puzzles me is that the reccomendation is to OPEN UP THE
>ROUTER so that it only blocks a few ports and have the firewall do the
>rest! the rational is that a firewall is better for security then the
>router and can give me better indications of attacks then we can from the
>router logs.
>
>My reaction is that it is better to try and stop it at both the router and
>the firewall, along with an alarm on the firewall that if it sees any of
>this it means that the router has been hacked, but I would like to get
>some additional feedback on this.
This discussion has been had before, in forms like firewall vs. IDS
or IDS on the inside vs. outside.
It really comes down to whether you value blocking attacks
more or detecting them more. I don't claim to know that one
is better than another. Clearly, your IDS will be able to detect little
if it's behing a router that is stopping most attack attempts, perhaps
making it less useful. There's another school of thought that IDS' can
replace firewalls, if they are of the type that can stomp connections.
I don't subscribe to the latter.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
