SO sensor placement

[Ben]

Hello!

I have a discussion ongoing if it makes sense to place a sensor in front of our perimeter firewall to monitor everything that is hitting on our network from the outside. I'm not a big fan of this approach and argue, that we already know that the Internet is a bad place out there and we are running SO to detect intrusions and not to document all sorts of attacks to get a weather report regarding attack activity. I want to place different sensors behind the perimeter firewall to monitor different network segments.

I fear tons of alarms that we will see in SO, which are actually no threats, since the firewall will take care of them. Is there a right or wrong to this question? Are there best practices regarding the placement of sensors?

Any feedback is highly appreciated. Thanks in advance!

Cheers, Ben.

[in...@friendandfamilytech.com]

Hey Ben, you're absolutely right.  Although there might be some use cases for analyzing traffic that hits the outside of your firewall, unless you have a very large budget, and a security team with a lot of time on their hands, you'll spend a lot of time weeding through alerts.  You might be able to satisfy your colleagues by just ingesting firewall logs into SO through syslog (or json if possible).  If you configure the firewall to log packets dropped at the firewall, you'll have a pretty good idea on how much data you would need to handle if you wanted a sensor on the outside (and then decide to not put a sensor outside your firewall).

Good luck,

Kevin