[fw-wiz] IDS/IPS and LOGS

A few cents on IDS/IPS and Logs:

IDS is great at identifying which previously discovered and quantified
nasty behavior is happening on your network (where your network is
either inside, outside or DMZ). But it doesn't give you much when you
encounter something new and unknown (day zero). And there are more of
these day zero attacks coming along all the time.

IPS is also great at blocking many Internet attacks but it has limited
use on the outside (your Internet attachment) because if anyone wises up
to the fact that you have an IPS in place then a spoofed attack could
easily turn your IPS into a big denial of service attack. IPS is best
used inside your network where you know that bad traffic is always bad
traffic and it isn't a spoofed DoS attack.

On the subject of log analysis:

My guess is that most of the Worlds firewalls and IDS/IPS only have half
of their capabilities ever put into use. Heck, I just realized that one
of our firewall pairs has been running for two years without the onboard
encryption hardware turned on! But I digress. The point is this, every
day you as the security practitioner should be checking your firewall
and IDS/IPS logs and developing another rule or two to add that will
reduce logging for traffic you know is not important. Then add that rule
into your change control process, document it and implement it. Now
you're one step closer to a log that actually has only the bad stuff in
it. Now do this every day and within a very short time you will be
looking at smaller logs that actually mean something.

I have been looking at SEM for some time and they all lack one important
piece - a simple, easy interface for developing and deploying filters.

But, the biggest catch to all of this is that you actually must have a
real security policy. But, the policy must live and breathe and grow in
such a way as to not impact the business - much. It must evolve year on
year, each time bringing more controls and closer scrutiny to all paths
and byways in your network. Just make sure you have well integrated
systems and processes so that you don't become the choke point for every
single infrastructure request that happens within your company.

Mike Hawkins

New York Office: 212-208-3888

White Plains Office: 914-729-2790

Mobile: 917-887-3614

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Adrian
Sent: Thursday, February 02, 2006 11:01 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] parsing logs ultra-fast inline

What do we want to know?


The compilation of the most popular reports that we would like to see
a firewall (or other similar device) log analysis - from a thread
by mjr in the Log Analysis mailing list.

I noticed that there is a big emphasis on log parsing while there should
more discussions about the interpretation of the log parsing results.
worked with logs from quite a few types of firewalls but parsing them
never been the problem. Yes, is a tedious, frustrating job but a rather
one in comparison with the task of "programmatically" interpreting their
meaning. Take Tina's VPN example - how many types of log entries you
expect from a VPN concentrator? From my experience, not more than 20 but
let's assume there are 50. Give a sample from each entry to a Perl
programmer and you will have the parsing script done in a day or two. So
you have the data, but what are doing with it? What is relevant to a VPN
administrator? Even a seasoned security professional would appreciate
"conclusions" that a reporting tool would provide from the data in the

That being said, I agree that when you have to analyze 100 GB worth of
parsing them becomes a (big) problem and you need to optimize as much as
possible. Actually, a "mere" 1 GB log is a show stopper for many
on the market.


Adrian Grigorof
Altair Technologies

----- Original Message -----
From: "Tina Bird" <tbird@xxxxxxxxxxxxxxxxxxxxxxx>
To: "'Marcus J. Ranum'" <mjr@xxxxxxxxx>;
Sent: Thursday, February 02, 2006 13:21
Subject: RE: [fw-wiz] parsing logs ultra-fast inline

marcus has been sufficiently saying what i do that i've not felt obliged
participate in this thread, until finally:

-----Original Message-----
From: Marcus J. Ranum [mailto:mjr@xxxxxxxxx]
Sent: Wednesday, February 01, 2006 1:04 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] parsing logs ultra-fast inline



so f'r instance, imagine i've landed in a new job at a company without a
centralized logging infrastructure. the network is the usual
of file servers, mail, web stuff, firewalls, routers, remote access. and
databases, of course. and some custom code. i'd go MAD if i tried to
the uber-logging facility all in one go.


firewall-wizards mailing list
The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored.
firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] IPS vs. Firewalls (why vs. ?)
    ... Proxy firewalls: Proxy firewalls are in theory good ... Any time you're parsing network traffic you're prone to ... Let's take the WMF ... And if you think _that's_ hard, try stopping an ASN.1 attack without writing ...
  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
  • Re: Asimov Asks "How People Get New Ideas"
    ... the outside adversary picks up the connection and now has ... a neat hole through the firewall -- the plug acts as your "inside ... connect the plug to the host's "normal" network drop. ... This leaves a few other attack modes: ...
  • RE: [fw-wiz] Firewalls v. Router ACLs
    ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...