Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scanner and Firewall?

From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 13 Jul 1999 18:24:05 -0700 (PDT)

--- John Nanas <JohnN () review com> wrote:

do I need scanning software
in addition to the firewall?  I know that FW-1 has pretty comprehensive
software (much more than I've taught myself to use, thus far) with all the
logging, but do I gain something by adding another scanner to the firewall
box?


The word "scanner" typically implies a product that searches for
vulnerabilities by sending packets at the firewall from another box. (SATAN,
Nesus, nmap, etc.)

I think you are talking about an "intrusion detection system" (IDS). This is a
program that watches network traffic and looks for hacking signatures.

A common misconception is that intrusion-detection-systems (IDS) get their data
from firewalls. While there are some the process firewall logs, generally a log
file is too "processed" to provide good information. IDSs require the original
"raw" traffic in order to opperate well. In other words, while you can usually
install an IDS on the same box as the firewall (in which case both watch the
raw traffic), you are probably better off installing it on a separate box that
watches the same wire. A common scenario is an IDS in front of the firewall to
detect attempts, and another IDS behind to detect successful breaches of the
firewall.

As to whether you "gain" something by having an IDS, a study by the Computer
Security Institute (gocsi.com) found that 30% of large companies have had their
firewalls breached. Even if you have a firewall, you typically leave important
services open. The firewall won't detect or block "buffer-overflow" attempts
against those services, but an IDS will detect them.

If you are curious, I explain this in detail in my FAQ at:
http://www.robertgraham.com/pubs/network-intrusion-detection.html#7.4
(bias: I now work for one of the vendors mentioned in the document, Network
ICE).

Rob.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: