RE: [fw-wiz] RE: IDS (was: FW appliance comparison)

On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
>
> That's the main reason why I don't like IDSs. A default deny policy
> combined with "log everything" achieves just the same.

And

On Tue, 24 Jan 2006, Patrick M. Hausen wrote:
>I think that there's a place and a use for IDS - but if your network is
small enough that running log everything won't bog down your
firewall(s), then - well - maybe they're not for you.

Are we forgetting one of the main reasons I believe IDS are valuable (or
was this point made earlier in the thread I and didn't catch it)? Being
an old timer, "Defense in Depth" easily comes to mind. Your firewall is
a device on the network right? As such, heaven forbid, it might get
hacked. What will give you a clue if it does?

Maybe an IDS that is specifically tuned to alert on traffic that should
never happen? Borrowing from another current thread, let's say hopefully
that you do not allow X-windows traffic in from the outside. Of course
your firewall would block it and log it, but wouldn't it be nice to know
if the firewall ever responded to a SYN with and SYN-ACK?

I agree we don't need the IDS to tell us what we should already know
from the firewall. And we might not need to know about the newest worm
signature from an IDS. But I would sure be interested if I saw responses
to any of these "bad" things or these "bad" things outbound. Goes back
to "know your traffic." It's tough but it's the only way.

Someone a long time ago said think of a firewall as the perimeter alarm
and locks, think of IDS as motion detector. I think that is still valid.

Don
"Keep your arms and hands inside the car and enjoy your ride..."
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living in a
cardboard box to someone living on a park bench." - Gene Spafford

************************************************************************
******
The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the intended
addressee is unauthorized. If you are not the intended recipient of this
message, any review, disclosure, copying, distribution, retention, or
any action taken or omitted to be taken in reliance on it is prohibited
and may be unlawful. If you are not the intended recipient, please reply
to or forward a copy of this message to the sender and delete the
message, any attachments, and any copies thereof from your system.
************************************************************************
******


-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Cat
Okita
Sent: Tuesday, January 24, 2006 7:49 PM
To: Patrick M. Hausen
Cc: Ben Nagy; 'Paul D. Robertson'; firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)

On Tue, 24 Jan 2006, Patrick M. Hausen wrote:
> On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
>
>> What's your preferred method for noticing this stuff? (I'm certainly
>> not being sarcastic here)
>
> Your firewall doesn't trigger an alarm for every event that's denied
> by policy?
>
> That's the main reason why I don't like IDSs. A default deny policy
> combined with "log everything" achieves just the same.

*blink* You don't bog down your firewall to the point of being unuseable
doing that?!?

I think that there's a place and a use for IDS - but if your network is
small enough that running log everything won't bog down your
firewall(s), then - well - maybe they're not for you.

cheers!
========================================================================
==
"A cat spends her life conflicted between a deep, passionate and
profound desire for fish and an equally deep, passionate and profound
desire to avoid getting wet. This is the defining metaphor of my life
right now."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)
  • Re: Is IDS/IPS worthless?
    ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    (Focus-IDS)
  • Gartner comments (was Re: Rather funny; looks like page defacement to me)
    ... All IDS systems produce falses. ... In fact, all network security ... firewall monitoring long before they deployed their first IDS. ... Gartner, you really missed the boat on this one. ...
    (Focus-IDS)
  • Re: IDS on Switched Networks
    ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
    (Focus-IDS)
  • RE: IDS, IPS or just rubbish
    ... then it sounds a lot like an IDS to me. ... I wonder what ISS' new firewall will be called? ... They do not have many signatures. ... world's premier technical IT security event! ...
    (Focus-IDS)