monitoring IDS in a NATTed environment

ISP
|
| 68.33.256.x
router
|
|  <--DMZ (192.168.1.0 network). IDS resides here
|
Firewall
|
|
internal router
|
|
internal network

If I have someone on the internet attacking me, wouldnt the source IP be 192.168.1.x
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dr_binksCommented:
As far as I know NAT should work somthing like this:

Outgoing Packet:

before router-   src:192.168.1.x:dest:<internet IP>
after router-     src:<public IP of modem>:dest:<internet IP>

Incoming packet:

before router-     src:<internet IP>:dest:<public IP of modem>
after router-        src:<internet IP>:dest:192.168.1.x

So any attacks coming from the internet will show the actual IP of the attacker.

Also ive noticed that some "hackers" try to spoof and internal IP address, to fool the router into thinking they are on your network... but a good NAT router should
detect that and stop it.

If anyone wants to correct me, feel free.

Hope this helps

~Binks

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harbor235Commented:
>If I have someone on the internet attacking me, wouldnt the source IP be 192.168.1.x

No, the source IP does not change as it is routed to your site,  it is the destination IP that will change. So the source will be the public ip.
Hopefully your security policy will mitigate the attack and not allow him access. If your boxes are compromised in the DMZ then traffic could originate/source
 from 192.168.1.x.

harbor235


 
dissolvedAuthor Commented:
I got ya. So only my internal traffic is modified at layer 3. Public traffic isnt modified at layer 3
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

dr_binksCommented:
Im pretty sure thats how it works.
srikrishnakCommented:
Yeah....normally IDS or IPS will be placed in a place where it can "lsiten" to the most the traffic...
Added to Dr_Binks & harbor...

just my 2 cents..Its better to have a monitoring @ Firewall..Some times the attacker may succesfully bypass the routers n stuff n come in to the internal network..:)
dissolvedAuthor Commented:
thanks fellas
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.