?
Solved

IDS inside vs. outside firewall

Posted on 2003-12-11
6
Medium Priority
?
325 Views
Last Modified: 2013-11-16
We currently use a Cisco 4235 IDS and PIX 515E with the IDS listening on the outside. We gather around 300-500 false positives every day and it has become a chore to sort through them all. Would it be more beneficial to listen inside the firewall?

I'm afraid it will get to the point that when the IDS  "cries wolf" there will be nobody around to notice the event. Listening to the inside would make our alarms more meaningfull. We would like to have both inside and outside but we have to stick to the budget.
0
Comment
Question by:mikesparker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9926291
Well obviously, if you run the IDS inside the firewall, then it will only tell you if either a) internal clients are doing something they shouldn't, or b) if an outside intruder had managed to get past the firewall to do attacks or compromise a DMZ machine to then do attacks.
Personally, I think this is a security policy decision. My company has it in their security policy that IDS only runs inside the firewall, and only cursory exams of the firewall logs for outside traffic is done. Basically, we don't care about an IDS scan on the external side of the firewall. Of course it is gonna record a whole lot of attacks and scans and other stuff. But, we feel that our firewall is configured properly to keep out traffic we don't want and to allow only traffic we do want in.
The IDS is, primarily, for our intrenal clients and things they should not be doing (like if virus-infected, or doing port scans).
So, I guess I am saying it comes down to a company policy decision.
If your company really cares to know what kind of traffic your firewall is blocking, then keep the IDS outside and deal with the false alerts.
But if you are OK with your firewall config, then I say move the IDS inbound. The false alerts will drop, and you can set your company policy to use IDS for internal clients (i.e. employees) in keeping them in line!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9928137
Personal opinion, run it on the inside.
I know that everyone in the world is knocking on my door, rattling the chain. That's only going to increase, and the amount of 'false positives' increases, increasing the time someone has to look at the traffic and fine tune the system.
However, if the IDS is on the inside, 80% of the threat is actually on the inside anyway. Employees doing things they shouldn't, bringing in laptops that are infected, etc. I want to know who got in and who's doing something on my LAN that they shouldn't.
It's a given that every wannabe on the planet is knocking, I only care about who got through, or who is already inside - period.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9931197
agree with lrmoore
if you want to do it more perfect (not thinking about how useful a IDS is, and why it then can be "near" perfect:), I'd run one external, one ionternal, and compare both with the firewall setting.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9931446
ahoffmann brings up a good point. If money was no object, and I had the staff to monitor and maintain, I'd put one on the inside and one on the outside. The outside one can directly interact with the screening/edge router and dynamically update access-lists. If the IDS notices a port scan from an IP address, it can automatically block any further packets from that IP from ever even getting close to the firewall.
0
 

Author Comment

by:mikesparker
ID: 9931624
Well, I just finished moving it inside the firewall. We are also looking at buying a 4 port PCI sniffing card. I think it retails for $750. Then we can monitor the inside, outside, DMZ, Server VLAN, ect with 1 sensor. Thanks for the helpfull answers.
0
 

Expert Comment

by:iliescufm
ID: 9950552
There is so called "honey pot" concept in information security. Integrated with other security products can be very efficient and reduces / eliminates the false positives.

Check this link (on my pesonal web site)

http://www.geocities.com/iliescufm/p02_Momela_Sol_Teh.html

It is in Romanian but you can find there the name of some products and links to their sites. You can also search on net for honeypots.

Regards,
Florin
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question