[fw-wiz] to IDS or not to IDS? [Re: FW appliance comparison - Seeking input for the forum]

You're making a "straw man" argument -- I haven't heard anyone advocate
using IDS as a first OR only line of defense, nor has anyone on this
list advocated neglecting a good firewall with a good ruleset and
instead spending all one's time on IDS deployment instead (we are
"firewall wizards" after all, right?)

However, I WOULD argue that NO technology is a very good "first and
only" line of defense. The original post that started this discussion
asked "Why would you want an IDS?" You seemed to be arguing that IDS is
useless/unnecessary, and I am arguing that it a useful and sometimes
necessary adjunct to a good firewall:
1) IDS provides better visibility on traffic internally and at the
network boundaries. I want to monitor what is happening to assure myself
and my bosses/auditors that my perimeter controls are as good as I say
they are.
2) IDS is better than most firewalls at alerting on "unsuccessful"
attacks that "bounce off" of your firewall or get through but pose no
real danger to your systems which are patched, etc. This information is
useful, because I think it is prudent to detect and track or block
persistent attackers; their first attacks may have been futile, but
maybe they'll get smarter. I wouldn't ignore incoming gunfire just
because they seem to keep missing.

On Wed, 25 Jan 2006, paul@xxxxxxxxxxxx wrote:

>> world no "bad" traffic can get through a properly configured proxy
>> firewall, BUT the bad guys have imaginations, too! Often better and
> evil imaginations that the guys who wrote the protocols and maybe even
>> better than the guy who wrote the proxy (sorry, MJR, but it is
>> possible).

>That doesn't change the fact that if you're not doing the basics right
>then bells and whistles don't improve your overall security posture as
>much as getting the basics right will.

>Look at Avishai's study- then tell me that more IDS is the first thing
>need, and do it with a straight face. Passive IR is a cool technology,

>but it sure as heck shouldn't be your first or only line of defense.
firewall-wizards mailing list