Q

Where to put an IDS -- inside or outside of the firewall

We are in the process of implementing an intrusion-detection system. I have heard two different things: Place the

ID box outside of the firewall, and place the box inside of the firewall. Where is the best place to locate our network IDS? We don't plan on having any host IDs for now.


I'll answer your question with a question: Do you want to know who is knocking on your door (computers connecting from the Internet)? Or do you only want to see those that are allowed access?

If you prefer the first than outside, otherwise inside.

I typically tell people to place the IDS outside the firewall, and see if they can manage the traffic. This is good, for it allows you to see everyone trying and allowed to connect. Intrusion is typically detected when malicious activity is detected outside and it gets a response from inside. Most time malicious activity will hit the outside, but should never receive a response from inside your protected network.

Hope that helps. Give it a try. You can always move it inside. Also, most times I will tell clients to install SNORT or some other IDS along with the primary vendor to ensure you are in fact picking up everything.


For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: Intrusion-detection systems
Executive Security Briefing: Recommendations for deploying an intrusion-detection system
Best Web Links: Infrastructure & Network Security
Ask the Expert: The placement of security solutions on a network


This was first published in March 2002

Dig deeper on Network Intrusion Detection (IDS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close