I'll put an IDS on the network ..
My question:
1) Ask an IDS on a DMZ or behind a firewall? (knowing that there's more DMZ)
2) What are the parameters to be secure in place on the Linux machine that hosts the IDS?
Member
I'll put an IDS on the network ..
My question:
1) Ask an IDS on a DMZ or behind a firewall? (knowing that there's more DMZ)
2) What are the parameters to be secure in place on the Linux machine that hosts the IDS?
Member
Here is the answer to your question:
1. Neither one nor the other. Or both.
To put things in order. Say you have the ability, in terms of human resources to operate an IDS, and you also have the technical resources to do so. I have just read the string of questions you've posted so far and how questions are asked makes me think that your eyes are bigger than the belly and that "some" elements you escape again, probably for a short moment, time to update knowledge representing thousands of pages of documentation.
Before installing an IDS, and subject to two conditions set above, you should have valued the assets to protect, especially the risks. Having answered these questions you would know what your network requires the utmost vigilance. From there you would have an architecture designed accordingly and installed special defenses in depth. You deduct the points and therefore sensitive or where to place the probes of your IDS.
To illuminate the connection take an example. If you are the biggest threat lies outside the network (Internet) then you need at least one probe or in the DMZ or behind the firewall, but before this one. It is very useful to observe what is happening outside the door rather than being barricaded behind to listen to the sounds that filter without knowing what is happening outside. You'll look smart when the door will explode and you'll be facing an opponent that can contain. So if you had seen what was happening outside you would have seen the forces are gathering outside your door.
If your business involves the use of sensitive data especially if they are familiar to users, or some, then it is leaving the internal LAN that should be at least one probe to find collaborators too curious roam around restricted areas.
These two examples, none of which fits your preconceived idea of the issue to explain that there is no recipe.
Member
Yes, I doubt I understood that it was repeated moult once. I just need your opinion. I still get your views on the right architecture as follows:
I have 7 dmz on a series of blue pix DMZ = Group 1
I am 8 dmz on a series of white pix DMZ = Group 2
1 paw of each pix on a Lan
1 Lan admin behind a pix with a paw on the client lan
I'll put the IDS in this way:
1 IDS before the firewall 1 1 between the IDS and FIREWALL1 group DMZ 1
1 IDS before the firewall, 2 1 between the IDS and FIREWALL2 group DMZ 2
1 IDS before pix of Lan Admin
Why 1 upstream / 1 downstream : It is important to be alerted before (with proper filters) to notice that after a time the firewall is crossed!
Monitoring more coherent and more convincing.
Needless course have rules, filters, a work of scripting, dev, for the visibility of upstream and downstream, alert notification, while a square ..
In total, 7 IDS (I'm not going into details of the archi ...). The very central to a console. Why such an establishment? We host of very sensitive data
I would like your opinion on this development ..
Member
I see no point in installing an IDS before the firewall. We can only do this when you have no confidence in the setup of the firewall. And then it generates too many alerts that do not pass the firewall. What is the human time available to monitor IDS alerts?
Member
I do not understand. The rest, for that matter, your elliptical style does not help. Post a scheme would be preferable. I do not give any opinion on something I do not understand.Originally Posted by KABIRA16
However in the absence of schema, it is not necessarily consistent or necessary to multiply the probes (not ids). The switches properly configured to simplify things and in addition to improving safety. The tap boxes are also useful.
Quite amazing. Structures facing such problems have such obligations and therefore such a technical area and they have financial or internal expertise or can afford to pay specialists.
It is something that escapes me at this point.
Posting Permissions
Reply With Quote
Bookmarks