Re: [fw-wiz] How should an Internet connection/firewall be designed?
Dave Piscitello wrote:[color=blue]
> Kaas, David D wrote:[color=green]
>> How many companies have an IPS/deep-packet-inspection device between the
>> firewall and the border router?[/color]
> I honestly don't see a lot of this and unless there's a specific DOS
> prevention issue, I don't see a lot of point in policing traffic that I
> expect my firewall to block.[/color]
Back when I still did security for a living, I was a supporter of having
an IDS device between your border router and your external firewall.
However it was not for the reasons most folks might think. I wanted the
external IDS in logging-only (no alarms) mode, purely for forensic and
legal purposes. When we saw something funky on our internal/DMZ nets, we
could look at the external logs to see if it was part of an attack pattern.
Of course there is a cost/benefit analysis that has to be done to
determine if the data mining is worth the cost of the device.
I agree that anyone who has alarms enabled from an outside-the-firewall
IDS probably ought to go see a professional about their paranoia issues...
firewall-wizards mailing list