Firewalls (was Re: IDS evaluations procedures)
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 07/17/05
- Previous message: Joel M Snyder: "Re: NetIQ Security Manager: Is it a good product for IDS on windows?"
- In reply to: Nathan Davidson: "RE: IDS evaluations procedures"
- Next in thread: Richard Bejtlich: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Reply: Richard Bejtlich: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Reply: Fergus Brooks: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Biswas, Proneet: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Richard Bejtlich: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Hovis, Chris: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Kyle Quest: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Swift, David: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Swift, David: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Fergus Brooks: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Sanjay Rawat: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Swift, David: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Ha, Jason: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Jul 2005 23:30:39 +0530 To: focus-ids@securityfocus.com
On 16/07/05 07:29 -0400, Nathan Davidson wrote:
> Hi Adam,
>
>
>
> I am sure Tim can answer this one very well, but over the last 12 months
> I have spent a lot of time working with IPS in an IDS orientated company.
> So I thought I share my experiences.
>
>
>
> When we deploy an in-line IPS solution we define a number of parameters
> in the policy that should be present in ALL valid requests (White-listing).
> I use this to filter out all traffic that I know must be malicious. From
Isn't _all_ traffic supposed to be malicious unless proven safe?
> my experience this is up to 95% of worm/scan traffic. We then apply IDS
> style signatures based on known attack vectors (Black-listing) but only
> on the remaining 5% of traffic. Thus we should have up to 95% less false
> positives (and generally we do). Additional benefits can be gained by
> dropping all subsequent packets from an abusing source IP address.
>
>
>
> An example would be to use an IPS to force all HTTP requests to have the
> host header www.xyz.com (your sites URL) this will stop a significant
> proportion of HTTP noise before signature matching.
Ugh! xyz.com is a legitimate domain. Please use example.com when giving
examples (or example.net or example.org).
>
>
>
> Conversely with IDS you just don???t have the ability to white list
> traffic in this way, I guess you could RST any request that didn???t
> match the URL but I think fragmented buffer overflows and the like
> could sneak through - so it???s risky.
An IDS is not an attack prevention mechanism. An IDS is a tool to detect
when your active attack detection mechanisms have been bypassed. An IDS is
passive. It tells you what it can see, but it is not supposed to do
anything to that traffic. Active elements are called firewalls, and
firewalls include both packet filters and proxies.
>
>
>
> As you alluded to, the IPS signatures tend to be less aggressive than
> those on the IDS which I think reflects the much higher penalty of
> false positives on an in-line blocking device. For this reason I do
> still deploy NIDS/HIDS on the inside to collect forensic data, with
> the added benefit of having a second manufacturers signatures.
>
>
>
>
>
> Internet
>
> I
>
> IPS
>
> I
>
> Firewall
>
> I
>
> I
>
> Switch=== NIDS
>
> I
>
> I
>
> HIDS
>
> Server
>
>
Internet ===> Packet filter ===> proxy ===> Switch ===> Hardened server
| | | |
| | NIDS Log analyser
| | | |
|-----------------|-------------|--------- Reporting
tool
Slightly better architecture.
Devdas Bhagat
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Joel M Snyder: "Re: NetIQ Security Manager: Is it a good product for IDS on windows?"
- In reply to: Nathan Davidson: "RE: IDS evaluations procedures"
- Next in thread: Richard Bejtlich: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Reply: Richard Bejtlich: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Reply: Fergus Brooks: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Biswas, Proneet: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Richard Bejtlich: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Hovis, Chris: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Kyle Quest: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Swift, David: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Swift, David: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Fergus Brooks: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Sanjay Rawat: "Re: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Swift, David: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Maybe reply: Ha, Jason: "RE: Firewalls (was Re: IDS evaluations procedures)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
