RE: IDS is dead, etc

From: Bob Buel (bob_at_buel.org)
Date: 08/08/03

  • Next message: Bennett Todd: "Off-Topic: perfect firewall (was Re: IDS is dead, etc)"
    To: "'Bennett Todd'" <bet@rahul.net>, "'Barry Fitzgerald'" <bkfsec@sdf.lonestar.org>
    Date: Fri, 8 Aug 2003 11:34:46 -0500
    
    

    Gentlemen:

    Being a spectator to this discussion, I have to comment the obvious,
    that in security, there can be no "perfectly implemented" anything. As
    long as there is access to a system, there can be an attack. Your
    firewall could be hacked. You can't say that there's not some
    vulnerability that will be in tomorrow's news. You can't even say that
    you won't have a hormonal inbalance on Monday morning, and alter that
    "perfect implementation". How can you make your systems safe? Go to your
    switch now and unplug all servers from their jacks. Are they safe now?
    No, of course not, since they can still be accessed via console. Ok,
    turn off the server, and put it in a vault behind a 7 foot concrete
    bunker. Is it safe? Nope. Still can't say that. (Verisign unplugs their
    root server, use a bunker, alarms, armed guards, and still won't ever
    say it's safe!)
    Sure, the odds are better, but whether or not your system will actually
    be attacked is an equation byproduct of the attacker's motivation and
    your safeguards.
    Now, if you will excuse the dialectical silliness of this rant, the
    purpose of an NIDS is now clear--it is a reporting tool of what actually
    did or try to happen on that network.

    Much as I appreciate the practicality of what you are saying, and agree
    totally with it in an ideal sort of way, I can never say those thoughts
    out loud where someone might hear it, because it is not a perfect world,
    never will be, and I can't afford not to keep a watchful eye for
    someone, sufficiently motivated, who will do the impossible!

    Good day, gentlemen one and all,
    and I have thoroughly enjoyed your discussion!

    Bob

    Subject: Re: IDS is dead, etc

    2003-08-07T16:49:10 Barry Fitzgerald:
    > Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a
    > properly configured firewall removes the need for an NIDS.

    Perhaps you're referring to my comment:

            2003-08-06T14:57:53 Bennett Todd:
    > 2003-08-06T07:39:28 Paul Schmehl:
    > > Why would you want to know about Nimda attacks
    > > against your servers?
    >
    > (or more generally, attacks that won't succeed)
    >
    > Some people _don't_ care. They need to disable the
    > sigs they don't care about, or configure their IDS
    > to only match those sigs against servers for which
    > they're relevent.
    >
    > The limiting case of this argument says that given
    > a really perfectly implemented firewall, you don't
    > need an IDS at all. Some folks don't.

    > I have to chime in and say that I couldn't possibly disagree more.

    Understandable. I really shouldn't have included that remark; or
    else I should have expanded on it. I didn't say "properly configured
    firewall", I said "really perfectly implemented firewall", and I
    meant something different by that, although I neglected to explain.

    A perfectly implemented firewall allows no protocols through for
    which there are vulnerable implementations inside. That means it's
    impossible to implement a perfect firewall if you're going to allow
    Windows users to have internet access. You can come moderately
    close, with a hideous amount of work, but you'll still be very
    exposed, and an IDS will be critical reinforcement of your flawed
    security.

    But given suitable systems configuration, it is possbile to have a
    perfect firewall, and if you do then an IDS is just an educational
    tool, and would probably be most useful in concert with a honeypot.

    -Bennett

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------


  • Next message: Bennett Todd: "Off-Topic: perfect firewall (was Re: IDS is dead, etc)"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Firewall Suggestions
      ... servers on a peer to peer network topology. ... > to access the other computers across the network. ... enough security without adding a software firewall. ... it was before the security craze of recent. ...
      (comp.security.firewalls)
    • Re: MC Extender - How do I get my wireless key entered? Sees the
      ... Although I did get my X working with WPA-PSK, when I enable my Trend Micro ... Firewall, the next time I turn on my Extender, it fails to connect. ... > Appendix B: Wireless Security ... > setting up or using your wireless network. ...
      (microsoft.public.windows.mediacenter)