I am wondering about IDS placement. Currently our design is perimter router, firewall, and then interior router which connects all internal networks. A snesor is placed between the FW and the interior router. All traffic that is allowed through the FW is subject to inspection by the IDS. I have an oppurtunity to place another sensor between the FW and the exterior router, however I need a solid justification for this. Does anyone konw of any documentation, preferably from Cisco, that could justify a sensor in front of and behind the FW. Thank you
We've had similar conversations. The external sensor can give you a good idea if someone feeling out your network, aka reconnaissance. It's particularly helpful when you have multiple points of presence on the Internet. However, with out some automated means to do the forensic foot work, the level of traffic you'll see tends to look like noise. When you are correlating the events from numerous devices using something like Netforensics or Intelletactics Security Manager, it makes it more usefull.
There are several good reasons to have an sensor placed outside of the firewall (in fact it is preferable to have it outside the firewall if you can afford to spend some time tuning it). If you are interested I wrote an article over a year ago in which I reffered IDS to placement techniques and had a little equation called "Degree Of Attack Accuracy" which tried to quanify how effective certain senosr management techniques are. The article is a little old but could be interesting http://online.securityfocus.com/infocus/1477 . Personally IMHO if you can afford to spend time tuning having one on the outside is the way to go. You catch attacks and probes sooner which allows the attacker to be positively identified and removed from the network sooner. Having one inside the firewall makes correlation and threat determination easier.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...