RE: [fw-wiz] FW appliance comparison - Seeking input for the forum



-----Original Message-----
Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum

> Why would you want a signature based IDS at all? They don't work.
> Period. Enumerating badness is a silly idea.

Sure they do. The premise may be flawed, but the technology works, even if
it falls into the "better than nothing" category. They're smoke detectors
for a small subset of possible fires. Using one is still better than
letting the house burn to the ground each and every time there's a fire.


> Develop a policy that explicitely defines every kind of network traffic
that is to be
> allowed to pass your perimeter. Application X using a "propriatary
protocol"? Sorry, not
> allowed.

See my previous post. Just because you enforce HTTP over TCP/80 with a
proxy doesn't mean you're keeping all of the garbage out... or in. Not to
mention that there are plenty of standard, known protocols out there (think
SQL protocols) that lack a good proxy to manage the actual behavior of the
connections that cross them.


> Then use a firewall that only passes what is explicitly allowed and raises
an alarm for
> everything that isn't.
> *Boom* as Steve Jobs would probably put it. Instant heuristic proactive
unkown and future
> attack aware IDS.

And without packet payload data, those alerts border on useless. Not to
mention that the real bad guys are tunneling across the allowed ports while
you sleep.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • FW: can someone give me a link for protocol list that is supported by ISS IDS?
    ... supported by ISS IDS? ... Some of the protocols included in the PAM are ...
    (Focus-IDS)
  • Re: AppScan and IDS evasion
    ... Then the proxy would be banned and it would be a DoS for other users ... I've launched AppScan against a web application and I'm being ... Since AppScan doesn't have any kind of IDS evasion, ... in Securing Web Applications ...
    (Pen-Test)
  • RE: Off-Topic: perfect firewall (was Re: IDS is dead, etc)
    ... other sort) of attacks that are so completely new that no IDS would ... Only protocols that we _thought_ we ... Only pertains to rule-based IDS. ... that's all we use....since there is no 'silver bullet' IDS (or firewall), ...
    (Focus-IDS)
  • Re: Creating a unique random id
    ... >> contact a central server for generating the ids. ... a user contacts the proxy generates a unique id. ...
    (comp.lang.java.programmer)
  • Re: Creating a unique random id
    ... >>> to contact a central server for generating the ids. ... >>> trasmitted and saved on a server, ... For a network connection, the IP address + originating port will be unique ... > contacts the proxy generates a unique id. ...
    (comp.lang.java.programmer)