Tuesday, March 15, 2011

IDS Placement

A discussion on the SANS Alumni Group on LinkedIn started up concerning IDS placement. I weighed in with this:

"I've had this discussion before when a company I worked for mandated ONE IDS at the ingress points, with additional ones optional. I've always believed behind the firewall would be where you would put the IDS if you could only have one. My reasoning is that 1) behind the firewall shows you what traffic just made it past your router ACL's, firewall rules, reverse proxying,etc. 2) behind the firewall lets you see the real IP of outbound traffic instead of the hide address, so when boxes get infected or compromised and start connecting out, you can shut down the traffic and easily trace the box to clean it. 3) Outside the firewall keeps down the white noise of junk your perimeter defenses and allows you to concentrate on alerts of interest. If you have both, you tune your external IDS for the traffic you need to see, like specific high value servers or boxes that attract a lot of attacks, to gauge what preventive shunning needs done.
Mike Poor talks about the umbrella sensor, that is the sensor right at the edge of the network that's supposed to detect all traffic to everything behind it and how it's not a good architecture. Ideally, you should have layers of sensors at strategic points, like in front of your web farm, in front of your name servers, in front of WAN links with partners and clients, etc and then you can tune each one appropriately with what signatures you run and with filtering. That's the ideal set up. For many, especially those smaller companies, that umbrella sensor is all you're going to get. In that case, behind the firewall is the only place to put it..."

What do you think (especially those new to the network security field)? Assuming you had to work with an umbrella sensor and could only have one, where would you put it?


Eric said...

I'm a little biased, working for an IDS/Log management vendor, but I think if you are analyzing your firewall logs, you will get a strong sense of what your firewall is dropping on the front end, and then having your IDS behind the firewall.

That said, I've seen a number of people stand up a Snort instance in front of their firewall, and a different enterprise-class firewall after.

JeffSoh said...

Agree, having a heterogeneous environment is a good idea. If an attack slips past one sensor from Vendor X, it will slip past all of them, assuming they are configured the same. Having another vendor's box looking at the same traffic gives you another chance to detect and alert (and drop if it's IPS)

Blog Archive