>Date: Sat, 20 Jan 2001 09:24:40 -0500
>From: "John Tannahill" <[EMAIL PROTECTED]>
>Subject: Placement of IDS Sensor
>
>Looking for opinion on placement of IDS sensor on a network segment which
>includes Firewall external interface and ISP router (there is no screening
>router behind ISP router). The IDS sensor nic on this segment would have no
>protocols bound to it (Real Secure network sensor). Operating system would
>be stripped down NT or Win2k. The issue is that second nic on sensor
>machine would go to management console on internal network - so compromise
>of sensor would allow direct uncontrolled access to internal network.
Unless you have a lot of time to "desensitize" the IDS sensor, put it
behind the firewall. This will detect the serious threats that get
through so you won't be distracted by the "kiddie scripters" that are
stopped by the firewall.
We have external IDSes but had to modify their alarm handling by checking
for return traffic. This finally got us looking at the real threats and
made the IDS systems into something other than a box crying "wolf" all
day long.
Bob Wilson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
