RE: Odd scans and stuff bouncing off firewalls

From: Edwards, David (JTS) (Edwards.Dave@saugov.sa.gov.au)
Date: 08/14/02 

From: "Edwards, David  (JTS)" <Edwards.Dave@saugov.sa.gov.au>
To: incidents@securityfocus.com
Date: Wed, 14 Aug 2002 09:40:18 +0930

Hi,

> -----Original Message-----
> From: Craig Billado [mailto:billadoc@us.ibm.com]
> Sent: Wednesday, 14 August 2002 3:20 AM
> Cc: incidents@securityfocus.com
> Subject: Re: Odd scans and stuff bouncing off firewalls
>
> Nexus,
>
> I agree that there is a lot of overhead maintaining external
> IDS sensors.
> In the event that the "filtering device" fails, however,
> subsequent attacks
> into and through the DMZ may be difficult to detect without them.

[snip sweet comment :-]

> If you feel that
> the border firewall is impervious to attack or compromise --
> moreover, that
> the internal sensors are equipped to detect the consequences
> thereof --
> then I suppose an external sensor can be dismissed.
> Otherwise, I'd keep one
> out there on the wild-side.

This has all the hallmarks of a religious debate eh..

I've thought long and hard about this and FWIW, the
conclusion I came up with was this.

IDS is designed to "detect" intrusions which seems to
imply that it goes behind the devices designed to "block" them,
else you are installing "Attempted Intrusion Detection Systems".
Hmmm, I don't think I want to add that to my CV ;-)

A perimeter normally consists of multiple security devices
including an external filter (router) and internal, much
smarter firewall. So where would you put the external
sensor if you want to see all attack attempts aimed at
you?

Between the firewall and the filter? But then it would
miss most of the port scans if the filter is doing its job.

Outside the filter? But then you are basically just gathering
stats and dshield already does a brilliant job here.

Each to their own of course. I can see a need to install
an external sensor if your business is network security as
you need to test the efficiency of the IDS sensor, but you are
just making a rod for you own back if you install them outside
an ordinary corporate network.

In any case, logs from the filter and firewall will normally
give you most of the data you want.

ciao

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Aviras firewall
    ... FL>> multiple smaller forms of security. ... A software firewall is just ... filter at the network boundary. ... Right, a firewall belongs in between what you protect, and what you ...
    (alt.comp.anti-virus)
  • Re: D-Link 604 Router
    ... > I can filter outbound connections using URL filtering using something ... > firewall software or hardware and no router, ...
    (comp.security.firewalls)
  • Re: Hardware Firewall Recommendation
    ... Deny Java Applets ... Web Blocker Schedule - enable/disable at programmed times ... Web Blocker non-Operational Controls (what to filter when OFF) ... block .EXE you never have to go back and update the firewall to keep ...
    (comp.security.firewalls)
  • Re: blood pressure!
    ... WIth the filter i surely agree have lot of work needs to be done! ... power is hooked up backwards, if you've got everything miswired, it's ... and mount it right next to the sensor. ... if you want and apply that pressure again, or you can just ground one ...
    (sci.electronics.basics)
  • Re: BLOCKING IPs
    ... In the NAT/Basic firewall tab, ... In the right pane of the windows, right click Network connections. ... click Inbound filter. ... > If you are using SBS 2003 Premium, you can use ISA server to block this ...
    (microsoft.public.windows.server.sbs)