[fw-wiz] to IDS or not to IDS? [Re: FW appliance comparison - Seeking input for the forum]



You're making a "straw man" argument -- I haven't heard anyone advocate
using IDS as a first OR only line of defense, nor has anyone on this
list advocated neglecting a good firewall with a good ruleset and
instead spending all one's time on IDS deployment instead (we are
"firewall wizards" after all, right?)

However, I WOULD argue that NO technology is a very good "first and
only" line of defense. The original post that started this discussion
asked "Why would you want an IDS?" You seemed to be arguing that IDS is
useless/unnecessary, and I am arguing that it a useful and sometimes
necessary adjunct to a good firewall:
1) IDS provides better visibility on traffic internally and at the
network boundaries. I want to monitor what is happening to assure myself
and my bosses/auditors that my perimeter controls are as good as I say
they are.
2) IDS is better than most firewalls at alerting on "unsuccessful"
attacks that "bounce off" of your firewall or get through but pose no
real danger to your systems which are patched, etc. This information is
useful, because I think it is prudent to detect and track or block
persistent attackers; their first attacks may have been futile, but
maybe they'll get smarter. I wouldn't ignore incoming gunfire just
because they seem to keep missing.


On Wed, 25 Jan 2006, paul@xxxxxxxxxxxx wrote:

>> world no "bad" traffic can get through a properly configured proxy
>> firewall, BUT the bad guys have imaginations, too! Often better and
more
> evil imaginations that the guys who wrote the protocols and maybe even
>> better than the guy who wrote the proxy (sorry, MJR, but it is
>> possible).

>That doesn't change the fact that if you're not doing the basics right
>then bells and whistles don't improve your overall security posture as
>much as getting the basics right will.

>Look at Avishai's study- then tell me that more IDS is the first thing
we
>need, and do it with a straight face. Passive IR is a cool technology,

>but it sure as heck shouldn't be your first or only line of defense.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Changes in IDS Companies?
    ... >> There's also the option of using a non-inline style IDS, ... >> firewall rules anyways, ... > 3) Many attacks are internal. ... come from the internet. ...
    (Focus-IDS)
  • Re: Firewall or IDS
    ... You can actually use IPSec on Win2K to do the same thing - plus you can ... PIX firewall will not be ... >> able to defend against application layer attacks like Code Red. ... A network IDS won't be able to defend against Code-Red-like attacks as soon ...
    (Focus-Microsoft)
  • RE: amount of alarms generated by IDS
    ... Obviously to manage, control, and mitigate these types of attacks it is ... "They used to read the 3000ppm water monitor with a magnifying glass." ... amount of alarms generated by IDS ... The comparison is more appropriately made as a firewall with the ability ...
    (Focus-IDS)
  • Re: Any personal Intrusion Detection Systems
    ... BlackIce is actually an IDS that happens to be able to block using ... it's own IP filter (some people would call this a firewall). ... carriers of such attacks like UNicode and double decode style attacks. ...
    (comp.security.firewalls)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)