[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

IDS inside vs. outside firewall

Posted on 2003-12-11
6
Medium Priority
?
329 Views
Last Modified: 2013-11-16
We currently use a Cisco 4235 IDS and PIX 515E with the IDS listening on the outside. We gather around 300-500 false positives every day and it has become a chore to sort through them all. Would it be more beneficial to listen inside the firewall?

I'm afraid it will get to the point that when the IDS  "cries wolf" there will be nobody around to notice the event. Listening to the inside would make our alarms more meaningfull. We would like to have both inside and outside but we have to stick to the budget.
0
Comment
Question by:mikesparker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9926291
Well obviously, if you run the IDS inside the firewall, then it will only tell you if either a) internal clients are doing something they shouldn't, or b) if an outside intruder had managed to get past the firewall to do attacks or compromise a DMZ machine to then do attacks.
Personally, I think this is a security policy decision. My company has it in their security policy that IDS only runs inside the firewall, and only cursory exams of the firewall logs for outside traffic is done. Basically, we don't care about an IDS scan on the external side of the firewall. Of course it is gonna record a whole lot of attacks and scans and other stuff. But, we feel that our firewall is configured properly to keep out traffic we don't want and to allow only traffic we do want in.
The IDS is, primarily, for our intrenal clients and things they should not be doing (like if virus-infected, or doing port scans).
So, I guess I am saying it comes down to a company policy decision.
If your company really cares to know what kind of traffic your firewall is blocking, then keep the IDS outside and deal with the false alerts.
But if you are OK with your firewall config, then I say move the IDS inbound. The false alerts will drop, and you can set your company policy to use IDS for internal clients (i.e. employees) in keeping them in line!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9928137
Personal opinion, run it on the inside.
I know that everyone in the world is knocking on my door, rattling the chain. That's only going to increase, and the amount of 'false positives' increases, increasing the time someone has to look at the traffic and fine tune the system.
However, if the IDS is on the inside, 80% of the threat is actually on the inside anyway. Employees doing things they shouldn't, bringing in laptops that are infected, etc. I want to know who got in and who's doing something on my LAN that they shouldn't.
It's a given that every wannabe on the planet is knocking, I only care about who got through, or who is already inside - period.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9931197
agree with lrmoore
if you want to do it more perfect (not thinking about how useful a IDS is, and why it then can be "near" perfect:), I'd run one external, one ionternal, and compare both with the firewall setting.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9931446
ahoffmann brings up a good point. If money was no object, and I had the staff to monitor and maintain, I'd put one on the inside and one on the outside. The outside one can directly interact with the screening/edge router and dynamically update access-lists. If the IDS notices a port scan from an IP address, it can automatically block any further packets from that IP from ever even getting close to the firewall.
0
 

Author Comment

by:mikesparker
ID: 9931624
Well, I just finished moving it inside the firewall. We are also looking at buying a 4 port PCI sniffing card. I think it retails for $750. Then we can monitor the inside, outside, DMZ, Server VLAN, ect with 1 sensor. Thanks for the helpfull answers.
0
 

Expert Comment

by:iliescufm
ID: 9950552
There is so called "honey pot" concept in information security. Integrated with other security products can be very efficient and reduces / eliminates the false positives.

Check this link (on my pesonal web site)

http://www.geocities.com/iliescufm/p02_Momela_Sol_Teh.html

It is in Romanian but you can find there the name of some products and links to their sites. You can also search on net for honeypots.

Regards,
Florin
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question