Re: Installing RealSecure Questions -reply

Mon, 17 Apr 2000 10:43:02 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

This is also discussed in the ISS RealSecure Getting Started Guide.

Properly planning your IDS Deployment and what type of events that you 
will be monitoring/looking out for is very important.

/m




Igor Gashinsky <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
04/04/00 12:09 PM

 
        To:     [EMAIL PROTECTED], [EMAIL PROTECTED]
        cc: 
        Subject:        Re: Installing RealSecure Questions



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message 
to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any 
problems!
----------------------------------------------------------------------------

Mark,

        The answer to this is "it depends" on weather you want to know 
EVERYTHING
that was send to your webservers, or just the stuff left over after the
firewall is done filtering it out. The advantages to EVERYTHING is that it
lets you observe in more detail the traffic that is going to your
web-servers, what your firewall is up against, justify the firewall being
there, and gives you the ability to see what the firewall is actually 
doing
(note: most [not all] of this could be derived from the firewall logs). 
The
advantage to just look at the post-filtered traffic is to observe what is
left after the firewall is done with it, and lets you examine the 
efficency
of your firewall rulebase, and provide an extra layer of defense via
negation. This way, if you see malicious traffic hitting your webservers,
it means it was allowed by the firewall, and maybe it is time to start
tuning the firewall to block that sort of traffic. Some sites implement 
IDS
sensors on both sides of the firewall to have a clear picture of what they
are up against, and how effective their defences are.

Hope this helps,

-Igor Gashinsky

At 06:03 PM 4/2/00 EDT, [EMAIL PROTECTED] wrote:
>I'm going to install RealSecure in our dmz network, and I was
contemplating on whether or not the >IDS should be sitting outside or
behind our firewall.  My objective is to monitor traffic targeting >our 
web
servers.  Does anyone have any insights on the pros and cons as to where
the IDS should be >placed on the network?

Reply via email to