IDS question (for a noob)

Dustin Decker dustind at moon-lite.com
Fri Aug 29 20:00:14 CDT 2003 

On Fri, 29 Aug 2003, Kurt wrote:

[snip]

> Now that being said, where would you all place the thing? On the wan
> line, picking up attempts? Or on the lan line? If I understand
> correctly, putting it on the lan, will only allow me to see what
> intrusions have already happened? And then there is this dmz thing that
> I dont seem to fully understand. All i'm really trying to accomplish is
> some learning and maybe get a kick out of checking things. Do any of you
> have any suggestions as to the placement, and why? Appreciate it.

I would suggest both outside as well as in actually, but would make a 
point of separating the processes.  It really depends on what you think 
your threat vectors are going to turn out to be, but the external access 
point to your network is generally the one people feel the most need to 
examine.  You want to be able to see when the bad guys are trying to get 
in.

I would also mention that you should probably do some form of demand pull 
on the information... don't have your IDS send automatic messages in 
response to inbound positives unless you know for sure they aren't false.  
In a lot of cases (particularly when you're just getting started) false 
positives become ignored... and genuine positives get ignored with them, 
rendering your work ineffective.

In addition, these triggers can often tip your hand if they are
implemented incorrectly, allowing an attacker to determine how
successfully their efforts have been to remain undetected.

Hope this helps out, good luck, and have fun.
Dustin

-- 
o-----------------------------------o
| Dustin Decker - CNA, MCP          |
| dustin at dustindecker.com       o-------------------------------------o
| Network Engineer              | Occam's eraser:                     |
| Preferred Physicians Group    | The philosophical principle that    |
o-------------------------------| even the simplest solution is bound |
                                | to have something wrong with it.    |
                                o-------------------------------------o

More information about the Kclug mailing list