Hello!
I have a discussion ongoing if it makes sense to place a sensor in front of our perimeter firewall to monitor everything that is hitting on our network from the outside. I'm not a big fan of this approach and argue, that we already know that the Internet is a bad place out there and we are running SO to detect intrusions and not to document all sorts of attacks to get a weather report regarding attack activity. I want to place different sensors behind the perimeter firewall to monitor different network segments.
I fear tons of alarms that we will see in SO, which are actually no threats, since the firewall will take care of them. Is there a right or wrong to this question? Are there best practices regarding the placement of sensors?
Any feedback is highly appreciated. Thanks in advance!
Cheers, Ben.