RE: [fw-wiz] Sources for Extranet Designs?

From: Don Parker (dparker_at_rigelksecurity.com)
Date: 02/24/04

  • Next message: M.C.M.Merks_at_delagelanden.com: "[fw-wiz] Cisco PIX 515 Firewall" 
    To: Chris Blask <chris@protegonetworks.com>
Date: Tue, 24 Feb 2004 13:30:59 -0500 (EST)

    <quote> IDS is all goodness, but what to do with the output?

    Well this issue has been beaten to death I believe, however here is my two cents worth
    on the subject anyways. The IDS still has to be properly tuned to begin with, and by
    that I mean exclude sigatures for services not being offered and the likes. Not only
    that one also has to tweak the signatures there for optimal use on your network. Every
    network has its unique properties that have to be catered to.

    Also as we all know the person who is actually looking at the IDS data needs to have
    their stuff together skills wise. Putting someone there with little to no knowledge of
    tcp/ip and other keys area's is just a waste of everyones time and money. The hardware
    itslef is normally quite excellent. The person themself must either learn on their own
    or be trained at the employers cost. This need not take long actually whether it be
    through SANS type training or the kind offered by the company I work with. There is no
    quick fix to bringing someone up to speed. Once they do have knowledge of some key areas
    though managing the output of an IDS is easily done whether it be gigs of megs.

    Cheers!

    Don

    -------------------------------------------
    Don Parker, GCIA
    Intrusion Detection Specialist
    Rigel Kent Security & Advisory Services Inc
    www.rigelksecurity.com
    ph :613.249.8340
    fax:613.249.8319
    --------------------------------------------

    On Feb 24, Chris Blask <chris@protegonetworks.com> wrote:

    Quoting Don Parker <dparker@rigelksecurity.com>:
    >
    > Yes indeed IPS is an excellent technology that is slowly maturing. There is
    still nothing wrong with the IDS though. Where the problem resides though is
    in the human interface to it. A distinct lack of knowledge, and sometimes
    education if the main problem when it comes to these technologies. I am
    however beating a dead horse vis a vis this in this mailing list. Heh, one of
    the main gripes I hear is the huge amount of data to cull through that is
    generated by an IPS/IDS. Were they up to speed on how to sift that data using
    bpf filters/bit masking there would not be a problem :-)

    The human interface is the entire problem, and if you set the level of
    expertise found in the human at the lowest point found on the distribution
    chart of network operators you get a view of the shape of the solution...

    IPS is fine, but it seems to me to simply be an evolution of the firewall as
    opposed to anything particularly new. The two questions are:

    o Do network owners want to have yet another shell of perimeter security (and
    do they want it from another new vendor with it's own logistic infrastructure)?
    o If you made IPS devices, it would be good so soak up info from all of the
    other vendors. But if you compete with those other vendors, why would they
    help you do it better?

    IDS is all goodness, but what to do with the output?

    -chris

    >
    > Cheers!
    >
    > Don
    >
    > -------------------------------------------
    > Don Parker, GCIA
    > Intrusion Detection Specialist
    > Rigel Kent Security & Advisory Services Inc
    > www.rigelksecurity.com
    > ph :613.249.8340
    > fax:613.249.8319
    > --------------------------------------------
    >
    > On Feb 23, "Marcus J. Ranum" <mjr@ranum.com> wrote:
    >
    > Wes Noonan wrote:
    > >IPS would be a no brainer for me in this scenario.
    >
    > I. Hate. To. Admit. It. But. You. May. Be Right.
    >
    > IPS hype aside, and ignoring what the Gartner idiots think,
    > there's a conceptual value to the IPS concept. Basically, a
    > firewall implements one of 2 policies:
    > - Permit
    > - Deny
    >
    > IPS (i.e.: a signature-based firewall) adds a third option to the
    > policy matrix:
    > - Permit
    > - Deny
    > - Permit it as long as it is not obviously abusive (e.g.:
    > signature
    > hasn't fired)
    >
    > That's actually kind of cool. It means you can set up a connection
    > for your business partner and let the traffic (for the minimum subset
    > of
    > services needed, of course!) go through. Then if the business
    > partners generate traffic that is abusive or appears abusive you
    > have useful information that you can further use to diagnose what
    > they are doing. "Hey, mister outsourcer, why are you Nmapping
    > my network?"
    >
    > Of course since IPS is signature-based you're going to have the
    > same kind of issues with false positives as you have with an IDS.
    > But, since your business partners (in theory) should be communicating
    > with you in a pretty plain vanilla manner, it should work OK.
    >
    > mjr.
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > <a href='<a href='http://honor.icsalabs.com/mailman/listinfo/firewall-
    '>http://honor.icsalabs.com/mailman/listinfo/firewall->
    > wizards'><a href='    http://honor.icsalabs.com/mailman/listinfo/firewall-
    wizards</a>'>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards></a>
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > <a href='    http://honor.icsalabs.com/mailman/listinfo/firewall-
    wizards'>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards>
    >

    Chris Blask
    Vice President, Business Development
    Protego Networks Inc.

    (1) 416 358 9885 - Direct
    (1) 408 262 5220 - HQ
    (1) 408 262 5280 - Fax

    blask@protegonetworks.com
    www.protegonetworks.com

    "The first purpose-built appliance for Real-Time Security Threat Mitigation"

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: M.C.M.Merks_at_delagelanden.com: "[fw-wiz] Cisco PIX 515 Firewall"

    Relevant Pages

    • RE: Recent Gartner IDS/IPS report
      ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
      (Focus-IDS)
    • Re: How to choose an IDS/FW MSS provider
      ... If you look past the appliance label you will find ... Any true IPS must be stateful and therefore cannot just simply forward ... A managed service from anyone when used as an IDS is great because you ... in any network. ...
      (Focus-IDS)
    • RE: Changes in IDS Companies?
      ... The IPS systems MUST be placed at the host. ... Subject: Changes in IDS Companies? ... >"intrusion prevention" which imo is 90% marketing, ... >organizations would trust an IDS alert to enforce network policy. ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... combinations that operating systems and applications respond improperly ... IDS alerts / second - Correlation - Virtualization ... any IPS has to do IDS first. ...
      (Focus-IDS)
    • Re: Is IDS/IPS worthless?
      ... IPS seems to mean "firewalls with IDS built-in", but in this definition, I ... existing security architecture. ... >insight to what is happening on a network and provides critical data to ...
      (Focus-IDS)