Re: IDS is dead, etc

From: Bennett Todd (bet_at_rahul.net)
Date: 08/08/03

  • Next message: Sam f. Stover: "Re: IDS is dead, etc"
    Date: Fri, 8 Aug 2003 11:13:27 -0400
    To: Barry Fitzgerald <bkfsec@sdf.lonestar.org>
    
    
    

    2003-08-07T16:49:10 Barry Fitzgerald:
    > Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a
    > properly configured firewall removes the need for an NIDS.

    Perhaps you're referring to my comment:

            2003-08-06T14:57:53 Bennett Todd:
    > 2003-08-06T07:39:28 Paul Schmehl:
    > > Why would you want to know about Nimda attacks
    > > against your servers?
    >
    > (or more generally, attacks that won't succeed)
    >
    > Some people _don't_ care. They need to disable the
    > sigs they don't care about, or configure their IDS
    > to only match those sigs against servers for which
    > they're relevent.
    >
    > The limiting case of this argument says that given
    > a really perfectly implemented firewall, you don't
    > need an IDS at all. Some folks don't.

    > I have to chime in and say that I couldn't possibly disagree more.

    Understandable. I really shouldn't have included that remark; or
    else I should have expanded on it. I didn't say "properly configured
    firewall", I said "really perfectly implemented firewall", and I
    meant something different by that, although I neglected to explain.

    A perfectly implemented firewall allows no protocols through for
    which there are vulnerable implementations inside. That means it's
    impossible to implement a perfect firewall if you're going to allow
    Windows users to have internet access. You can come moderately
    close, with a hideous amount of work, but you'll still be very
    exposed, and an IDS will be critical reinforcement of your flawed
    security.

    But given suitable systems configuration, it is possbile to have a
    perfect firewall, and if you do then an IDS is just an educational
    tool, and would probably be most useful in concert with a honeypot.

    -Bennett

    
    



  • Next message: Sam f. Stover: "Re: IDS is dead, etc"

    Relevant Pages

    • Re: Kerio 2 or 4?
      ... >> KPF2 is as close to a perfect firewall as is currently available. ... >> and Kerio was not going to fix them, but it's another thing if you ...
      (comp.security.firewalls)
    • RE: Thinking about Security rules...
      ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
      (Vuln-Dev)
    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
      (Focus-IDS)
    • Gartner comments (was Re: Rather funny; looks like page defacement to me)
      ... All IDS systems produce falses. ... In fact, all network security ... firewall monitoring long before they deployed their first IDS. ... Gartner, you really missed the boat on this one. ...
      (Focus-IDS)
    • Re: IDS on Switched Networks
      ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
      (Focus-IDS)