Re: IDS is dead, etc
From: Bennett Todd (bet_at_rahul.net)
Date: Fri, 8 Aug 2003 11:13:27 -0400 To: Barry Fitzgerald <firstname.lastname@example.org>
2003-08-07T16:49:10 Barry Fitzgerald:
> Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a
> properly configured firewall removes the need for an NIDS.
Perhaps you're referring to my comment:
2003-08-06T14:57:53 Bennett Todd:
> 2003-08-06T07:39:28 Paul Schmehl:
> > Why would you want to know about Nimda attacks
> > against your servers?
> (or more generally, attacks that won't succeed)
> Some people _don't_ care. They need to disable the
> sigs they don't care about, or configure their IDS
> to only match those sigs against servers for which
> they're relevent.
> The limiting case of this argument says that given
> a really perfectly implemented firewall, you don't
> need an IDS at all. Some folks don't.
> I have to chime in and say that I couldn't possibly disagree more.
Understandable. I really shouldn't have included that remark; or
else I should have expanded on it. I didn't say "properly configured
firewall", I said "really perfectly implemented firewall", and I
meant something different by that, although I neglected to explain.
A perfectly implemented firewall allows no protocols through for
which there are vulnerable implementations inside. That means it's
impossible to implement a perfect firewall if you're going to allow
Windows users to have internet access. You can come moderately
close, with a hideous amount of work, but you'll still be very
exposed, and an IDS will be critical reinforcement of your flawed
But given suitable systems configuration, it is possbile to have a
perfect firewall, and if you do then an IDS is just an educational
tool, and would probably be most useful in concert with a honeypot.
- application/pgp-signature attachment: stored