Firewall Wizards mailing list archives
Re: Intrusion Detection
From: "Mark Horn [ Net Ops ]" <mhorn () funb com>
Date: Mon, 20 Apr 1998 13:31:50 -0400
I know that I'm kicking a dead horse, but just one question... Marcus J. Ranum says:
What's interesting in this example (the firewall) is the assumption that your IDS can understand what "correct" behavior of the firewall is. What that means is that you'd be able to invert the firewall's policy, or somehow have an IDS that was coupled to your understanding of what should and should not work through the firewall. That's what I've been calling this "policy-based IDS" stuff: when you know a priori what should and shouldn't happen and look for cases where what shouldn't happen is happening.
Can't this be done with two firewalls in series? Both firewalls would have the same rule set, with one exception. The outer firewall has a default deny rule that simply drops stuff. The inner firewall, has a default deny rule that drops stuff, and sets off an alarm to the administrators. If the administrators ever get an alarm from the inner firewall, they know that the outer firewall is permitting things it shouldn't, or that the rulesets are out of sync. This could even be done, crudely, with a router as the outer firewall. This is not, by any means, perfect. But isn't this a rudimentary policy based IDS? -- Mark Horn <mhorn () funb com> PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
Current thread:
- Re: Intrusion Detection, (continued)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection darrenr (Apr 15)
- Re: Intrusion Detection Tina Bird (Apr 15)
- RE: Intrusion Detection Marcus J. Ranum (Apr 15)