Hi!

> This scenario would allow me to find out if an internal user was
performing
> portscans, etc internally.
This is of course only one IDS - actually I would say you need at least 2
listeners - one as discribe and the other on the internal MASQ router for
the internal network to monitor your users.

> And if a machine were compromised, I would need
> to see that and I could only see that by having my DMZ monitored by an IDS
> (snort).
The combination I discribe allows you to monitor anything going out and in
the DMZ. Not sure if it makes a big diff but I am using stateful filtering
allowing evering going out of the DMZ.
I actually implemented this configuration yesterday evening and as far as I
can tell it works as aspected.

Rup

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]