Network IDS Sensor Placement

by Roamer - 1/25/01

This paper outlines the advantages of placing a Network Based Intrusion Detection Sensor (IDS) both in front of and behind the firewall.

If possible, network based IDS' should be placed both in front of and behind the firewall. The sensor in front of the firewall will allow monitoring of all activity coming into the network segment. This is valuable because it facilitates trend analysis. Sensors placed outside of the firewall will detect port scans and vulnerability scans that are blocked by the firewall and would otherwise go unnoticed. These are often precursors to full blown penetration attempts. Attacks that are blocked by the firewall such as attempted connections to high traffic ports are recognized by this outside sensor. Additionally, sensors placed outside the firewall do not require that a port be opened on the firewall to allow traffic to pass back to the management console.

The sensor that is placed behind the firewall is also essential. This sensor monitors all outbound traffic. The monitoring analyst can analyze this traffic to help determine if a compromise has occurred. This traffic will also provide clues as to the possibility that an internal user is preparing for an attack on company resources. More importantly, this sensor tells the analyst which attackers have penetrated the firewall and are now attempting to gain access to machines that are thought protected. Analyzing the alerts from the inside sensor will allow the analyst to make recommendations regarding firewall rules. The inside sensor also helps the analyst determine if the firewall is or is not working as it is intended.

By placing a network based IDS both in front of and behind an organization's firewall, an analyst is provided with the information that is necessary to best monitor a network. By analyzing the data from both sensor logs, the analyst is able to identify potential threats before they are exploited. The analyst is also able to determine the effectiveness of the current firewall configuration. On the whole, the combination of an internal and an external network based IDS provides the best possible solution to network monitoring.