Looking for opinion on placement of IDS sensor on a network segment which
includes Firewall external interface and ISP router (there is no screening
router behind ISP router). The IDS sensor nic on this segment would have no
protocols bound to it (Real Secure network sensor). Operating system would
be stripped down NT or Win2k. The issue is that second nic on sensor
machine would go to management console on internal network - so compromise
of sensor would allow direct uncontrolled access to internal network.
Questions:
- Is this deployment safe?
- Is there any way to compromise this machine from Internet / ISP bearing in
mind that there are no protocols bound to the nic and it is acting only in
promiscouous traffic collection mode?
- are there any tools which could identify the machine on the segment?
- any suggested penetration tests?
- would it be prudent to protect internal network by placing packet filter
or basic firewall appliance between sensor machine and internal network
(only traffic is IDS data collection and management)?
- would deployment be safer with screening router between firewall and ISP
router?
- would more effective deployment of sensor(s) be on firewall's internal and
DMZ interfaces (IDS would then not see traffic dropped or rejected by
firewall)?
Any thoughts are welcome
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
