help about IDS and firewall

Babba · 02-06-2003, 07:30 PM

1 Should i place my IDS inner or outer firewall?

2 what should i do if my friewall is hacked?

Noerr · 02-07-2003, 03:02 AM

1) if you need it for outsiders, put it out, otherwise let it in

2) Start reading CERT issues, and bug reports, and get enough info to figure out how they broke into your server, and how to get them out (not so easy task, unless you have some "script kiddies" in your box)

good luck

unSpawn · 02-11-2003, 05:35 AM

1. Even tho it depends on how your fw's are configured to let tru traffic I'd say: both. Like in the Single Point of Failure thingie.

2. If your firewall got cracked this means you've been running daemons on the fw, and that's a bad habit unless you know what you're doing and accept the risks. In essence fw's are for regulating traffic, not for serving (public) services.

Read this at least:
UNIX Security Checklist v2.0: [url]www.cert.org/tech_tips/unix_security_checklist2.0.html[url],
The Twenty Most Critical Internet Security Vulnerabilities: http://www.sans.org/top20/,
Steps for Recovering from a UNIX or NT System Compromise: www.cert.org/tech_tips/root_compromise.html,
Security tips: www.cert.org/tech_tips/ and www.cert.org/security-improvement/.