Re: [fw-wiz] FW appliance comparison - Seeking input for the forum

On Fri, 20 Jan 2006, sai wrote:

> Ignorance is strenght? No way! IDS should help you figure out what is
> happening on your network and its environs. Unfortunately keeping the

No, your *policy* should *dictate* what's happening on your network and
its environs. Your implementation of that policy should enforce it.

If IDS was an audit function, it'd have to be designed to audit against a
policy, not be AV-on-the-wire. Lots of people are using IDS as an excuse
to not iterate or implement policy or protective controls, and that's a

> IDS updated takes time and/or money , plus you have to look at (and
> understand) the reports (more time and effort).
> Most people are able to get on with their jobs without knowing what
> has attacked them, but its certainly good to know.

Again, this assumes that your policy implementation allows attacks to
traverse your infrastructure *or* that you're wasting the organization's
time passing around reports about how many times NIMDA tried to attack
your Solaris box.

This is one reason why people with sub-standard security don't get fired
when there's an event they clearly should have created "the IDS signature
didn't detect it" is becomming a bail-out when people really aren't
implementing good security policies.

Here's a little tidbit that's about 4 years old now, but ponder it and ask
yourself if the IDS is where people *should* be spending their time:

Approximately 74% of firewalls are either misconfigured or not configured
to block attacks they're capable of blocking in normal operation[1].

[1] No, I don't mean "deny all." Attacks without unduely hindering the
organization by blocking legitimate traffic.
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact." Infosec discussion boards

firewall-wizards mailing list

Relevant Pages