Re: IDS is dead, etc

From: Bennett Todd (
Date: 08/08/03

  • Next message: Sam f. Stover: "Re: IDS is dead, etc"
    Date: Fri, 8 Aug 2003 11:13:27 -0400
    To: Barry Fitzgerald <>

    2003-08-07T16:49:10 Barry Fitzgerald:
    > Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a
    > properly configured firewall removes the need for an NIDS.

    Perhaps you're referring to my comment:

            2003-08-06T14:57:53 Bennett Todd:
    > 2003-08-06T07:39:28 Paul Schmehl:
    > > Why would you want to know about Nimda attacks
    > > against your servers?
    > (or more generally, attacks that won't succeed)
    > Some people _don't_ care. They need to disable the
    > sigs they don't care about, or configure their IDS
    > to only match those sigs against servers for which
    > they're relevent.
    > The limiting case of this argument says that given
    > a really perfectly implemented firewall, you don't
    > need an IDS at all. Some folks don't.

    > I have to chime in and say that I couldn't possibly disagree more.

    Understandable. I really shouldn't have included that remark; or
    else I should have expanded on it. I didn't say "properly configured
    firewall", I said "really perfectly implemented firewall", and I
    meant something different by that, although I neglected to explain.

    A perfectly implemented firewall allows no protocols through for
    which there are vulnerable implementations inside. That means it's
    impossible to implement a perfect firewall if you're going to allow
    Windows users to have internet access. You can come moderately
    close, with a hideous amount of work, but you'll still be very
    exposed, and an IDS will be critical reinforcement of your flawed

    But given suitable systems configuration, it is possbile to have a
    perfect firewall, and if you do then an IDS is just an educational
    tool, and would probably be most useful in concert with a honeypot.



  • Next message: Sam f. Stover: "Re: IDS is dead, etc"