Skip to main content


Showing posts from March, 2009

Why is your IDS outside your firewall?

Stop that. You’re doing it wrong.

This is a very puzzling situation that I run across quite often, more often than I should. I thought i’d bring up a few points as to why, I view, IDSs outside of Firewalls, to be a bad thing.

Allow me to play Devil’s Advocate here for a minute, present a few arguments, then allow me to rebuttal them. I am not insulting anyone that has their sensors outside the firewall. But I ask to you please reconsider. Here you go:

1. We place a sensor outside of our firewall to see what’s “out there in the wild”.

First off, the Internet is not plugged into one big hub. Network traffic that is destined for somewhere else is not going to be seen by your network. Only networks that you advertise as yours will receive the traffic that you intend. Placing a sensor outside of a Firewall because you think you are going to see traffic “floating” by, is just plain wrong.

Second of all, if you have a "Deny all, permit by exception" policy on your Firewall -- a…