RE: Need help to choose a security policy

From: CEDRIC CASSIN (anginapectoris_at_caramail.com)
Date: 05/10/04

  • Next message: Ravishankar Ithal: "Re: amount of alarms generated by IDS" 
    To: focus-ids@securityfocus.com
Date: Mon, 10 May 2004 14:03:48 GMT

    ( Send failure so I send it again, few of you may have already received it but not everybody)

    Thank you for your quick reponse.

    Here is a quick summary of the device my company uses.
    IDS : ISS realsecure (HIDS and NIDS) and CISCO 4235 (NIDS)
    Firewall : Cisco Pix 525 or checkPoint
    They are normally some robust devices.
     
    < I don't think that trying to match your firewall accept rules is
    < precisely the best move. Better configure only rules relevant to you
    < architecture (for example, you might have only one type of web server,
    < so disable all rules that deal with attacks to other types of web
    < servers you don't have).

    It seems to correspond with my point of view. For example, I see that SMTP
    traffic is allowed, I look for all the
    signatures that check attack through this service and then make my choice
    among these signatures depending
    on my network architecture ( OS, Software etc) . This will fit my needs
    and decrease logs. Am I Right?

    BUT...for example, I have a lots of alerts of SQL slammer Worms but there
    is no accept rule on the firewall. So I
    know that the firewall will block them. It's a evidence for me that I shouldn't
    pay attention to this attack. This
    attack will not go in the internal network, but is it interesting to keep
    track of this as an information about
    possible intruders?
    Should it be considered as noise like scan and so on ? ( too much data
    to be manageable) Is it simply a scan
    attack so not necessarily against us and not really relevant ?

    < Last but no least, if your IDS allows you to create custom rules,

    I guess it's possible..

    < then
    < you should consider creating some that verify policy compliance. Should
     < your corporate web server start ftp connections to workstations in
    your
    < internal network? If not then you might as well forbid all these
    < "suspicious" activities. Much better if you can apply positive
    logic in
     <these rules (like in firewalls), for example, in snort you could create
    < 'pass' rules for that which is allowed and then create some general
    < 'alert' rules that will trigger when activity other than that permitted
    < is detected. This will take you time and increase your rule database,
    < but these are the kind of rules that when you see them on your report
    < you know that there is something very bad going, they don't get obsolete
    < so fast and the help catching unknown/new attacks/, viruses/worms
    and
    < the like (so they are worth implementing for critical servers).

    It is a different way of tuning IDS , not only matching signatures with
    attack but also anaIyse normal and
    anormal behaviour on the traffic. Am I right ? I read some stuffs about
    that. It seems to be quite hard.I don’t
    know if our IDS handle this but I know that I can tune them with some
    Snort like rules.

    < hope this helps.
    Thank you very much

    Regards,

    Cedric Cassin

    Plus simple, plus fiable, plus rapide : découvrez le nouveau Caramail - http://www.caramail.lycos.fr

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Ravishankar Ithal: "Re: amount of alarms generated by IDS"