Solved

IDS inside vs. outside firewall

Posted on 2003-12-11
6
317 Views
Last Modified: 2013-11-16
We currently use a Cisco 4235 IDS and PIX 515E with the IDS listening on the outside. We gather around 300-500 false positives every day and it has become a chore to sort through them all. Would it be more beneficial to listen inside the firewall?

I'm afraid it will get to the point that when the IDS  "cries wolf" there will be nobody around to notice the event. Listening to the inside would make our alarms more meaningfull. We would like to have both inside and outside but we have to stick to the budget.
0
Comment
Question by:mikesparker
6 Comments
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9926291
Well obviously, if you run the IDS inside the firewall, then it will only tell you if either a) internal clients are doing something they shouldn't, or b) if an outside intruder had managed to get past the firewall to do attacks or compromise a DMZ machine to then do attacks.
Personally, I think this is a security policy decision. My company has it in their security policy that IDS only runs inside the firewall, and only cursory exams of the firewall logs for outside traffic is done. Basically, we don't care about an IDS scan on the external side of the firewall. Of course it is gonna record a whole lot of attacks and scans and other stuff. But, we feel that our firewall is configured properly to keep out traffic we don't want and to allow only traffic we do want in.
The IDS is, primarily, for our intrenal clients and things they should not be doing (like if virus-infected, or doing port scans).
So, I guess I am saying it comes down to a company policy decision.
If your company really cares to know what kind of traffic your firewall is blocking, then keep the IDS outside and deal with the false alerts.
But if you are OK with your firewall config, then I say move the IDS inbound. The false alerts will drop, and you can set your company policy to use IDS for internal clients (i.e. employees) in keeping them in line!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 9928137
Personal opinion, run it on the inside.
I know that everyone in the world is knocking on my door, rattling the chain. That's only going to increase, and the amount of 'false positives' increases, increasing the time someone has to look at the traffic and fine tune the system.
However, if the IDS is on the inside, 80% of the threat is actually on the inside anyway. Employees doing things they shouldn't, bringing in laptops that are infected, etc. I want to know who got in and who's doing something on my LAN that they shouldn't.
It's a given that every wannabe on the planet is knocking, I only care about who got through, or who is already inside - period.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9931197
agree with lrmoore
if you want to do it more perfect (not thinking about how useful a IDS is, and why it then can be "near" perfect:), I'd run one external, one ionternal, and compare both with the firewall setting.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Expert Comment

by:lrmoore
ID: 9931446
ahoffmann brings up a good point. If money was no object, and I had the staff to monitor and maintain, I'd put one on the inside and one on the outside. The outside one can directly interact with the screening/edge router and dynamically update access-lists. If the IDS notices a port scan from an IP address, it can automatically block any further packets from that IP from ever even getting close to the firewall.
0
 

Author Comment

by:mikesparker
ID: 9931624
Well, I just finished moving it inside the firewall. We are also looking at buying a 4 port PCI sniffing card. I think it retails for $750. Then we can monitor the inside, outside, DMZ, Server VLAN, ect with 1 sensor. Thanks for the helpfull answers.
0
 

Expert Comment

by:iliescufm
ID: 9950552
There is so called "honey pot" concept in information security. Integrated with other security products can be very efficient and reduces / eliminates the false positives.

Check this link (on my pesonal web site)

http://www.geocities.com/iliescufm/p02_Momela_Sol_Teh.html

It is in Romanian but you can find there the name of some products and links to their sites. You can also search on net for honeypots.

Regards,
Florin
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now