RE: [fw-wiz] FW appliance comparison - Seeking input for the forum

-----Original Message-----
Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum

> Maybe someone hitting the IDS pipe can come up with some good examples of
when just doing
> the right thing wouldn't have stopped whatever it is that is known enough
for signatures but
> not enough for configuring or patching...

I don't know that I'm comfortible admitting to "hitting the IDS pipe" but I
will say that an IDS (or anything that can perform some sort of action based
on packet payload) will give you things that your firewall ACLs can't.

A recent real-life example is our guest network. To accommodate visiting
contractors, auditors, etc. without just letting them plug into the internal
network, we have a WEP-enabled wireless network that they can use. This
network only allows access to a handful of ports and protocols, essentially
enough for basic web browsing (80/443), VPN (PPTP and IPSec), and DNS (they
get a DHCP lease that gives them a DNS server address outside of our
network). That's moderately restrictive, but we still regularly detect
peer-to-peer and IM traffic coming from that subnet. And that's the
unencrypted stuff. Many of these apps will work over ports reserved for
other common protocols or in the case of at least two IM clients, they will
work over HTTP and even through our proxies via GET/POST/POLL methods
(blocking CONNECT is no longer enough).

The moral of the story is that if you don't force all traffic through an
application proxy, you can stand to implement an IDS. Even still, you
probably have traffic passing through your proxy that you think you're


firewall-wizards mailing list