Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Ruprecht Jaeschke (520052496719-0001t-online.de)
Date: Wed May 23 2001 - 06:18:05 CDT
> This scenario would allow me to find out if an internal user was
> portscans, etc internally.
This is of course only one IDS - actually I would say you need at least 2
listeners - one as discribe and the other on the internal MASQ router for
the internal network to monitor your users.
> And if a machine were compromised, I would need
> to see that and I could only see that by having my DMZ monitored by an IDS
The combination I discribe allows you to monitor anything going out and in
the DMZ. Not sure if it makes a big diff but I am using stateful filtering
allowing evering going out of the DMZ.
I actually implemented this configuration yesterday evening and as far as I
can tell it works as aspected.