IDS Placement

[johnnyBravo1]

I have an existing network with a firewall. I would like to place a linux IDS piece of hardware somewhere within the network. I don't want to take out the firewall because it's been doing a good job. Anyone with advice on where to place it or articles to help me out. Thanks in advance

 

[DeltaMed1]

Does your firewall have a DMZ port? If it does that is where i would look to put it. Then you can have it watch both sides of the firewall and report what got through.

 

[dirtyhat]

Do you have a switch that supports port monitoring/spanning? If so, you could hang it off the switch the firewall and DMZ components are connected to. The Linux based IDS system would listen in promiscuous mode thus not adding another layer 3+ system on the outside of the network.

An optimal solution to this is to place a promiscuous interface on the external switch and the internal switch. All traffic in and out of the network is analyzed and anomalies are much easier to track down.

 

[MichealC4]

The above are excellent suggestions. And here's mine.

We have our IDS after our IPS, but before the firewall. So in short:

Router
IPS
IDS
Firewall
Clients

You'll have to make sure whatever you do though, that the machine can handle the load.

----------------------------
"Security is like an onion" - Unknown

 

[JoeBloggssss]

Hi,

If you place your IDS after your router and before your firewall it must be configured to be the least sensitive, as it will see the most traffic and the possiblity of false positives will increase. Most IDSs these days are deployed outside the network firewall, where they detect any attack and send an alarm. By contrast, if an IDS were placed within the firewall, it would detect only attacks that penetrate that security shield.

The latter approach, though less used, is the better one. It saves the system administrator from wasting time on failed attempts to enter the system. (Remember, a firewall is actually preventing the attacks on the system, and it will do so regardless of whether an IDS is in place to monitor real-time attacks.)

 

[MichealC4]

However, the problem with placing the IDS inside the firewall is that if your servers have problems (we have various reasons for not putting servers behind a firewall, though we would like to), you won't be able to catch that. I agree that there definitely are merits to putting it behind the firewall, but there are valid arguments to putting it in front as well. I thought long and hard about where I put mine.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt

 

[JoeBloggssss]

Hi,

One of our government clients had similar concerns, we came up with a zoning off of the IDS and implemented three one in front of the firewall, one in the DMZ and one in the intranet, each using a different sensitivity, and used ISS management software to tie them all in so that we did not lose control or create to much management overhead. Obviously a solution like this costs...

 

[rn4it]

Not sure, but if I'm reading what Jonny is writing he may not have the IP availble or the hardware to place the IDS external to the FW. Anyways, depending on what type of FW he has and how it's configured. I'd place the FW in a DMZ with the webservers. Have the FW set to log and alert to the IP and port scan etc and have the IDS watch for those who make it into the DMZ/internal net. Have a paging systems to alert you to the successful attempts. Just my 2cents