I go with JHS,
        to add to it... when implementing the IDS between the router and the
firewall, assuming that NATing is taking place in the firewall, only NATed
traffic will be the source or destination not the real IP in the Internal
network.....
        Follow this ruel " try to plase the NIDS very close to the servers
to avoid problems like unwanted load on IDS, NAT, insersion and evation."

Rgds
Balaji T R

-----Original Message-----
From: Jean-Hugues Smits [mailto:j.h.smitspointnet.nl]
Sent: Wednesday, January 09, 2002 2:24 PM
To: 'Bob Lemay'; issforumiss.net; 'lee_tze_minghotmail.com'
Subject: RE: RealSecure and Firewall-1

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

Use the product for what it's ment for.
Let the (border)router route, the firewall block traffic and let the IDS
detect the intrusions. That simple.
The area between the borderrouter and the first firewall is no-mans-land.
The DMZ is protected(~) by you. So that (DMZ) is the place where intrusions
could take place. Tadaa, place the Intrusion Detection System in the DMZ.
To have your firewall filter the traffic, decreases the number of the
possible connections to monitor. And thus decreases (logically) the number
of malafide connections on which you should take action. This simplifies the
fine-tuning of your IDS, which (could) makes it more effective.

The two-tier Checkpoint solution looks to me it's overkill and/or Security
by Consulting(tm). Have an extra NIC in the first FW and place your DMZ on
that network. If there is some money make the second FW a PIX, with less
money buy an other FW than CheckPoint. This could make your network more
secure than the two-of-a-kind solution.

Put some proxies and relays in the space between the firewalls.

Make your secure solution.

Ave,

JHS

-----Original Message-----
From: Bob Lemay [mailto:bobboblemay.com]
Sent: Tuesday, January 08, 2002 7:55 PM
To: issforumiss.net
Subject: Re: RealSecure and Firewall-1

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

I sold many managed Check Point solutions, which used an external RealSecure
IDS (between the router & firewall). The rationale was that we wanted to get
advanced notice of an attack while they were nibbling at the firewall.

Of course, a second IDS in the DMZ would be the ultimate solution so that
you don't constantly have to respond to alarms from the outside IDS. It all
comes down to money. You either pay for a second IDS or pay for your staff
to react to a greater number of false alarms.

Concerning the second FW, with all due respect to Check Point, I would
suggest a different type such as a Pix so that weaknesses in one cannot be
exploited on the second. If you will go through the rouble of having two FWs
and a DMZ IDS, you should consider implementing a Honeypot system in the DMZ
to divert suspected activity while you have time to react.

----- Original Message -----
From: "Tm Lee" <lee_tze_minghotmail.com>
To: <issforumiss.net>
Sent: Monday, January 07, 2002 7:37 PM
Subject: RealSecure and Firewall-1

>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
> --------------------------------------------------------------------------

--
>
> Hi all,
>
> I had recently came across a situation during a discussion of the IDS
> location.  The setup that I was given was a two-tier Firewall with a
> choke-point border router and an IDS.
>
> Many had given suggestions of placing the IDS after the Firewall-1
(first),
> that is in the DMZ.  Their argument is to "sniff" for suspicious traffic
> that the FW-1 is not able to deny.  Whereas my stance is to place it
between
> the border router and FW-1 (first), so that alerts will be trigger for the
> security admin to deny those traffic at the FW-1 (first), a pre-emptive
> approach.
>
> So, which is the most practice and acceptable approach? or are there
others?
>
> In addition, I am not able to understand the defense mechanism that had
> deployed a pair of CheckPoint FW-1 as their two-tier defense, could anyone
> please comments if you have seen or heard of such practices?
>
> Internet (Bad guys)
>     |
> border router
>     |
>     |
>     |
> Firewall-1 (First)
>     |
>     | (DMZ)
>     |
> Firewall-1 (Second)
>     |
>     | (internal network)
>     |
> Internal
>
> Thanks and regards,
> Apple
>
>
>
>
>
>
>
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]