[fw-wiz] A few sql 2000 related questions

From: Foley, Denys (Denys.Foley_at_xerox.com)
Date: 02/13/05

  • Next message: Steven M. Bellovin: "Re: [fw-wiz] VPNmadness gets more support;"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Sun, 13 Feb 2005 13:01:28 -0500
    
    

    >One proposal I have is the following

    >inet-->IPS-->fw->dmz (ssl) web server->fw->(ssl)sql server->vpn(with
    >acls)->back office fw dmz->(ssl)back office feeder servers

    >comments?

    >other proposal is

    >inet-->IPS-->fw->(ssl) inverse proxy->fw->(ssl) web server ->(ssl)sql
    >server->vpn(with acls)->back office fw dmz->(ssl)back office feeder servers

    >comments?

    The problem with your two proposals is that the IPS is only able to see SSL encrypted packets. It will never see most attacks that are targeted at the application. You need to have another IPS sensor inside the DMZ and yet another in your backend area.

    The sensor outside your FW will be sounding alerts non stop all day and all night. You should log them and review them but don't get too excited.

    The one inside your DMZ is a bit more important and will not trigger as often - these alerts need attention. Most attacks against WEB servers that are running SSL will not be seen until the server is compromised and it starts behaving in an unusual manner.

    The sensor that is back in your secure zone should be fairly quiet. When it goes off you do want to react and react fast. This one should go to your pager and wake you up in the middle of the night.

    Host based IDS systems will catch attacks on individual servers running SSL - You can run both Network IDS and Host IDS and it is not the same level of paranoia as wearing a belt and suspenders.

    Denys Foley    
     

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Steven M. Bellovin: "Re: [fw-wiz] VPNmadness gets more support;"

    Relevant Pages

    • RE: high-speed NIDS (>1.7GBit/sec traffic) required.
      ... then go with the Cisco IDS blade. ... You could use an IDS load balancer that spreads the traffic to many highly ... tuned small snort IDS sensors, then carve up the rulesets (3 or 4 per ... Sensor 1 does IIS, ...
      (Focus-IDS)
    • IDS Sensor operation
      ... Basically sensors operates with promiscuous mode interface for monitoring ... But there is an optionality in an IDS to alert the firewall to ... this we see in Realsecure Network sensor 7.0 where there is a option called ... Test Your IDS ...
      (Focus-IDS)
    • RE: can tripwire be used for sensor integrity???
      ... We have lots of users who use IDS Informer in this way to ensure that the $$ ... not caught out by a sensor going off line without knowing. ... tripwire does not detect LKM trojans or tampering. ... of kernel integrity protection. ...
      (Focus-IDS)
    • RE: NIDS
      ... The following link is a gold mine on all things IDS (at least in my ... Hands down snort is probably the most famous intrusion detection system. ... I think it is a good idea to place a sensor ... I am looking for information on deployment scenarios. ...
      (Security-Basics)
    • RE: High availability design of NIDS
      ... IDS traffic would automatically be load-balanced to your sensors. ... hardware or software issue caused a sensor to fail, ... High availability design of NIDS ... can listen to all traffics in the network). ...
      (Focus-IDS)