Re: [fw-wiz] RE: IDS (was: FW appliance comparison)



nuqneH,

Not really the same. IDS may find some unexpected behavior originated
from inside that simply does not reach firewall. Say, a trojaned
laptop computer may scan internal network resources and send results out via
innocently-looking email (or even do it via different channel),
how can you detect this?

(well, we all know this should not happen because no notebooks
should be allowed in unrestricted, but still it does)

So there is still some use for IDS.

Another possible application is detecting breakin attempts in DMZ,
though responding to those is damn boring. A hybrid host-network
system helps much and even odious "signature base" is very useful
to know exactly what happens ;-)


On Tue, Jan 24, 2006 at 02:27:15PM +0100, Patrick M. Hausen wrote:
> Hi, all!
>
> On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
>
> > What's your preferred method for noticing this stuff? (I'm certainly not
> > being sarcastic here)
>
> Your firewall doesn't trigger an alarm for every event that's
> denied by policy?
>
> That's the main reason why I don't like IDSs. A default deny
> policy combined with "log everything" achieves just the same.
>
> I concede there are nice UIs that let you do convenient analysis
> and statistics - more often or better on IDS products than on
> your common firewall. But it's the vendors that are to blame
> here. Why not put the same effort into the firewall products?
> Why bother if you can sell another box instead? Dunno.
>
> Regards,
> Patrick
> --
> punkt.de GmbH Internet - Dienstleistungen - Beratung
> Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
> 76137 Karlsruhe http://punkt.de
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Is IDS/IPS worthless?
    ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    (Focus-IDS)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)
  • Gartner comments (was Re: Rather funny; looks like page defacement to me)
    ... All IDS systems produce falses. ... In fact, all network security ... firewall monitoring long before they deployed their first IDS. ... Gartner, you really missed the boat on this one. ...
    (Focus-IDS)
  • Re: IDS on Switched Networks
    ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
    (Focus-IDS)
  • RE: IDS, IPS or just rubbish
    ... then it sounds a lot like an IDS to me. ... I wonder what ISS' new firewall will be called? ... They do not have many signatures. ... world's premier technical IT security event! ...
    (Focus-IDS)