Re: [fw-wiz] RE: IDS (was: FW appliance comparison)


Not really the same. IDS may find some unexpected behavior originated
from inside that simply does not reach firewall. Say, a trojaned
laptop computer may scan internal network resources and send results out via
innocently-looking email (or even do it via different channel),
how can you detect this?

(well, we all know this should not happen because no notebooks
should be allowed in unrestricted, but still it does)

So there is still some use for IDS.

Another possible application is detecting breakin attempts in DMZ,
though responding to those is damn boring. A hybrid host-network
system helps much and even odious "signature base" is very useful
to know exactly what happens ;-)

On Tue, Jan 24, 2006 at 02:27:15PM +0100, Patrick M. Hausen wrote:
> Hi, all!
> On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
> > What's your preferred method for noticing this stuff? (I'm certainly not
> > being sarcastic here)
> Your firewall doesn't trigger an alarm for every event that's
> denied by policy?
> That's the main reason why I don't like IDSs. A default deny
> policy combined with "log everything" achieves just the same.
> I concede there are nice UIs that let you do convenient analysis
> and statistics - more often or better on IDS products than on
> your common firewall. But it's the vendors that are to blame
> here. Why not put the same effort into the firewall products?
> Why bother if you can sell another box instead? Dunno.
> Regards,
> Patrick
> --
> GmbH Internet - Dienstleistungen - Beratung
> Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
> 76137 Karlsruhe
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx
firewall-wizards mailing list