[25182] in bugtraq
Re: fragroute vs. snort: the tempest in a teacup
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Apr 19 18:48:05 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: dugsong@monkey.org (Dug Song), dr@dursec.com (Dragos Ruiu),
bugtraq@securityfocus.com, snort-users@lists.sourceforge.net,
pen-test@securityfocus.com, roesch@sourcefire.com,
0xcafebabe@hushmail.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 19 Apr 2002 16:01:21 -0400
Message-Id: <20020419200122.F21737B4B@berkshire.research.att.com>
In message <200204182210.IAA10429@caligula.anu.edu.au>, Darren Reed writes:
> IMHO it makes little sense
>for an IDS to be *behind* a firewall as it's going to miss out on lots
>of useful data points.
The question to answer is what the purpose is of your IDS. If you're a
researcher on intrusion techniques, you should indeed have your IDS on
the outside. If you're a good citizen and have lots of free time, by
all means have one, so you can tell all the rooted sites that are
probing you that they're owned. But if you want to find out if you're
under attack, don't bother -- you are under attack, more or less
continuously.
An IDS on the inside will have many fewer false alarms, and will tell
you what you really want to know -- that someone has gotten through
your (other) defenses.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
