Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- From: "Paul D. Robertson" <paul@xxxxxxxxxxxx>
- Date: Fri, 20 Jan 2006 10:00:20 -0500 (EST)
On Fri, 20 Jan 2006, sai wrote:
> Ignorance is strenght? No way! IDS should help you figure out what is
> happening on your network and its environs. Unfortunately keeping the
No, your *policy* should *dictate* what's happening on your network and
its environs. Your implementation of that policy should enforce it.
If IDS was an audit function, it'd have to be designed to audit against a
policy, not be AV-on-the-wire. Lots of people are using IDS as an excuse
to not iterate or implement policy or protective controls, and that's a
problem.
> IDS updated takes time and/or money , plus you have to look at (and
> understand) the reports (more time and effort).
> Most people are able to get on with their jobs without knowing what
> has attacked them, but its certainly good to know.
Again, this assumes that your policy implementation allows attacks to
traverse your infrastructure *or* that you're wasting the organization's
time passing around reports about how many times NIMDA tried to attack
your Solaris box.
This is one reason why people with sub-standard security don't get fired
when there's an event they clearly should have created "the IDS signature
didn't detect it" is becomming a bail-out when people really aren't
implementing good security policies.
Here's a little tidbit that's about 4 years old now, but ponder it and ask
yourself if the IDS is where people *should* be spending their time:
Approximately 74% of firewalls are either misconfigured or not configured
to block attacks they're capable of blocking in normal operation[1].
Paul
[1] No, I don't mean "deny all." Attacks without unduely hindering the
organization by blocking legitimate traffic.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- From: Devdas Bhagat
- Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- References:
- Prev by Date: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- Next by Date: [fw-wiz] False results to DMZ
- Previous by thread: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- Next by thread: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- Index(es):
Relevant Pages
|
