Re: IDS on Switched Networks

From: Don Ng (sayhockng@yahoo.com)
Date: 12/05/01 

Date: Wed, 5 Dec 2001 08:42:56 -0800 (PST)
From: Don Ng <sayhockng@yahoo.com>
To: stoeckp@research.panasonic.com, focus-ids@securityfocus.com

 Hi Paul, a short answer as I forsee a lot more
replies to your questions coming from others more
qualified to answer.

 If your router/switch can do port mirroring then just
connecting a network IDS to it would be fine. Else a
hub could be another option. Most of network IDS can
have a NIC that acts as a passive sniffer anyway.
 
 As to where to place the sensor. I would go for both,
one to monitor the external, one for the internal. I
work in a distributor for security products, so over
instrumentation is fun :) And in any case, if the
traffic do not pass by the Sensor it will not get
monitored. So some people deploy IDS on their internal
segments too I believe.

 Looking at this link, at CSI, www.gocsi.com.
http://www.gocsi.com/roundtable.htm
In front
 Ads:
Higher state of alert you know what attacks you are
facing.
 Dis:
Wall to Wall of data, boring?
If your firewall has NAT turned on, tracking the
sources originating from your internal network is
difficult.

Behinf:
 Ads: Only what gets through the firewall gets
monitored? Less load on the IDS analyst.
You get to see what hosts is sending traffic to the
internet.
 Dis: Less idea of the state of the environment, false
sense of safety.
 

Where should IDS be placed relative to firewalls?
Explore the pros and cons off placing IDS inside or
outside firewall. What are the drawbacks of each?

Marcus from NFR Security states "I'd put mine inside.
Why should I care if someone is attacking the outside
of my firewall? I care only if they succeed, which my
IDS on the inside would ideally detect. Placing the
IDS on the outside is going to quickly lull the
administrator into complacency. I used to have a
highly instrumented firewall that alerted me whenever
someone attacked it. Two weeks later I was deleting
its alert messages without reading them. Another
important factor arguing for putting it inside is that
not all intrusions come from the outside or the
firewall. An IDS on the inside might detect new
network links appearing, or attackers that got in via
another avenue such as a dial-in bank."

Curry from IBM "The IDS should be placed where it will
be able to see as much of the network traffic you're
concerned about as possible. For example, if you're
concerned about attacks from the Internet, it makes
the most sense to put the IDS outside the firewall.
This gives it an "unobstructed" view of everything
that's coming in. If you put the IDS inside the
firewall, then you're not seeing all the traffic the
bad guys are sending at you, and this may impact your
ability to detect intrusions."

Sutterfield from Wheel Group
"IDS ideally plays an important role both inside and
outside a firewall. Outside a firewall, IDS watches
legitimate traffic going to public machines such as
e-mail and Web servers. More importantly IDS outside a
firewall will see traffic that would typically be
blocked by a firewall and would remain undetected by
an internal system. This is especially important in
detecting network sweeping which can be a first
indication of attack. External systems will also give
you the benefit of monitoring those services that
firewalls determine are legitimate. Putting an IDS
inside the firewall offers the added benefit of being
able to watch traffic internal to the protected
network. This adds an important element of protection
against insider threats. The major drawback of IDS
inside a firewall is that it cannot see a good deal of
important traffic coming from untrusted networks and
may fail to alert on obvious signals of an impending
attack."

Klaus:
Outside the firewall is almost always a good idea-it
protects the DMZ devices from attack and dedicates an
additional processor to protecting the internal
network. Just inside the firewall is also useful-it
detects attempts to exploit the tunnels that exist
through the firewall and provides an excellent source
of data for how well your firewall is working.
Throughout your intranet may be the best place for IDS
deployment, however. Everyone agrees that attacks
aren't the only things we're worried about-there's
internal mischief, fraud, espionage, theft, and
general network misuse. Intrusion detection systems
are just as effective inside the network as outside,
especially if they're unobtrusive and easy to deploy.

Spafford:
The IDS must be inside any firewalls to be able to
detect insider abuse and certain kinds of attacks
through the firewall. IDS outside the firewall may be
useful if you want to monitor attacks on the firewall,
and to sample traffic that the firewall doesn't let
through. However, a true IDS system is likely to be
wasted there unless you have some follow-through on
what you see

--- "Paul W. Stoecker, Ph.D."
<stoeckp@research.panasonic.com> wrote:
> Folks,
>
> If you are on a switched network, do you have to
> place your NIDS sensor
> in a location that can capture everything. For
> instance, my firewall is
> connected into a router which contains all of my
> switches and acts as a
> switch itself.
>
> Do I have to put the sensor in the critical path?
> Does that mean that I
> have to put a sensor on the Firewall, use another
> machine that is a
> router, or do I need a hub for the sensor and
> firewall to share?
>
> Your help is greatly appreciated.
>
> Paul
>
> --
> Paul W. Stoecker, Ph.D
> Network and Information Systems Manager
> Checkpoint Certified Security Administrator
> Panasonic Technologies Company
> Two Research Way
> Princeton, NJ 08540
> Phone: (609) 734-7584
> FAX: (609) 987-8827

=====
A Nobel Peace Prize for Jim Henson,
 He bought laughter to a lot of people.

 PS: I work in www.Quantiqint.com so
 comments regarding CyberGuard FW, NFR Security, Network-1,
 might be judged to be biased.

__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

Relevant Pages

  • RE: Need help from a group of experts. I am not a network expert but I play one on tv.
    ... preventing file attachments alone won't stop all email attacks. ... Sonicwall is a good firewall...but any firewall depends on how well you ... I am not a network expert ... - Precisely Define and Implement Network Security ...
    (Security-Basics)
  • Re: Changes in IDS Companies?
    ... >> There's also the option of using a non-inline style IDS, ... >> firewall rules anyways, ... > 3) Many attacks are internal. ... come from the internet. ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
    (Security-Basics)
  • Re: Firewall or IDS
    ... No matter how good and how well configured a firewall, ... top-notch an IDS, neither will stop a skilled, determined intruder. ... than if you left your network completely unprotected. ...
    (Focus-Microsoft)
  • Re: Firewall or IDS
    ... You can actually use IPSec on Win2K to do the same thing - plus you can ... PIX firewall will not be ... >> able to defend against application layer attacks like Code Red. ... A network IDS won't be able to defend against Code-Red-like attacks as soon ...
    (Focus-Microsoft)