Re: [fw-wiz] RE: In defense of non standard ports



On Tue, 24 Jan 2006, Tim Shea wrote:

> I've been monitoring this discussion and I have issues with two
> assumptions being made. The first is that all organizations have security
> professionals with some pull with management. Politics plays a big part

Trust me, if your organization has security professionals, then they have
pull with management.

> and unless you can sell a solution or are hacked sideways nothing will be
> done. This is the frustration of many technical security professionals.

Deploying IDS doesn't help this issue long-term. Long-term we need to be
able to quantify (and if Avashai ever de-htmls his response, we'll have
great data for this.)

> Lets take the above issue - all tcp ports outbound are open. Throwing in
> an IDS is an quick way to gather appropriate information to help sell to
> management that they have a real problem. Just telling them "all ports

No, your risk analysis should show them it's the right thing to do, if
you're attempting to build credibility based on shiny graphs and vendor
gear reports, then ultimately you're setting yourself up to fail.

> outbound bad" does not work. In addition - the log output from [insert
> whatever firewall here] is either not detailed enough or the volume is so
> high that it is not always practical to run analyze on the output.

What? Not show them how valuable their firewall investment is? Are you
kidding? "So much protection we can't even report on it! C'mon, you're
missing a great chance here...

> Second issue I have is that running IDS's takes a lot of time. That is
> bull. I had a vendor in today that was going off about such nonsense. It
> is just like any other service. You plan, implement, and manage that
> service appropriately. If you are spending all your time updating rules
> and keeping things in sync - your problem is not the ids but your
> operational processes.

Doing it in a way that elimates false positives and keeps it up-to-date
enough to highlight your failed security implementation does take time,
time better spent teaching executive management that you're professionals
that sholdn't be ignored any more than they'd ignore the financial guy's
take on the books..

> IDS have their place as any other service but saying they are useless or
> offering a negative opinion on an organizations internal controls (or lack
> of them) does not help that individual solve a problem.

My main message is that we need to focus our efforts on using what we
already have installed and in achieving results rather than spending it
furthing vendor hype for half-baked products that don't advance the state
of the art over AV.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] OT: vendors please respond
    ... 1> Exactly what is this firewall supposed to be protecting? ... A separate IDS? ... 10> Do you need centralized management? ... 1> Features you MUST have. ...
    (Firewall-Wizards)
  • Re: Why Security testing is required
    ... >> As a non technical person I want to know why security testing is required ... IDS fooled and content management skirted. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
    (Security-Basics)
  • Re: IDS Stealth Mode
    ... the IDS would have to be compromised in order to give the attacker access to the same L2 ... Have your management interface terminate on a "DMZ" or other type of restricted network, ...
    (Focus-IDS)
  • Re: Triggering IDS
    ... something similar to let you see what happens when your IDS triggers? ... vulnerability management needs. ... Download FREE whitepaper on how a managed service can help you: ...
    (Pen-Test)
  • IDS Management/SIM Systems
    ... Information Management System that integrates monitoring capabilities of ... What IDS are you using and why concern for SNMP ... However an organisation which is running a NMS might wish to incorporate IDS, ...
    (Focus-IDS)