IDS question [was: Re: Firewall and DMZ topology]

["Steve Bremer" <steveb () nebcoinc com>]

> tri-homed firewall, more so if you have IDS sensors at exterior, dmz,
> and interior, and the time to monitor them.

Changing subjects a little bit here.  I agree with our IDS comment, 
but I'm curious about how your external IDS is used.  

I've ran into differing opinions on this (as I do with most things 
security related ;-), but I I don't think that I would want the external 
IDS monitoring incoming traffic.  Why?  Because it would be going 
off all the time.  As many times as we're probed during the day, the 
IDS sensor would be in a constant state of sending alerts.  Yes, you 
could adjust the rules to reduce this, but then what is the point of 
having the IDS sensor there?  However, I believe the external IDS 
sensor should be there to monitor traffic leaving your external 
firewall so you can see if one of your internal or DMZ hosts have 
been compromised.  

What do you think?

Steve Bremer
NEBCO, Inc.
System & Security Administrator

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------