TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Mark,
The answer to this is "it depends" on weather you want to know EVERYTHING
that was send to your webservers, or just the stuff left over after the
firewall is done filtering it out. The advantages to EVERYTHING is that it
lets you observe in more detail the traffic that is going to your
web-servers, what your firewall is up against, justify the firewall being
there, and gives you the ability to see what the firewall is actually doing
(note: most [not all] of this could be derived from the firewall logs). The
advantage to just look at the post-filtered traffic is to observe what is
left after the firewall is done with it, and lets you examine the efficency
of your firewall rulebase, and provide an extra layer of defense via
negation. This way, if you see malicious traffic hitting your webservers,
it means it was allowed by the firewall, and maybe it is time to start
tuning the firewall to block that sort of traffic. Some sites implement IDS
sensors on both sides of the firewall to have a clear picture of what they
are up against, and how effective their defences are.
Hope this helps,
-Igor Gashinsky
At 06:03 PM 4/2/00 EDT, [EMAIL PROTECTED] wrote:
>I'm going to install RealSecure in our dmz network, and I was
contemplating on whether or not the >IDS should be sitting outside or
behind our firewall. My objective is to monitor traffic targeting >our web
servers. Does anyone have any insights on the pros and cons as to where
the IDS should be >placed on the network?
