0

My IDS sensor is currently located after the webproxy and all I am seeing is heaps of packets originated from the Web Proxy to the remote destination IP addresses. Hence, I don't actually see who does what! IDS, on the other hand, detects so many incidents e.g. IDS does not expect an IP address generates so many web traffic at a short period of time. So my question is: What is the best place to put the IDS probe when we have a web proxy in the network.

Many thanks

mazkopolo
  • 101
  • 1
  • What direction do you want to protect with your IDS ? From LAN to Internet or From Internet to LAN ? I am a bit confused by the webproxy term you use. Do you mean Reverse Proxy ? Usually we use IDS to protect against incoming traffic. Webproxy term suggests outgoing traffic...Could you clarify this ? – krisFR Apr 21 '15 at 22:38
  • By web proxy I mean a server that acts as a MIMT to protect the internal clients. I do not want to protect the IDS. I want to know if it is a good practice to put the IDS sensor before the web-proxy (between the web clients and proxy server) to see all the http/https traffic or not. If I do this, I will be seeing all the https/http traffic originating from the local network. If I put it after the web proxy, I will be seeing only one IP address is creating all http/https traffic. – mazkopolo Apr 22 '15 at 00:00

0 Answers0