Firewall Wizards mailing list archives
RE: Intrusion Detection Systems, Best of breed?
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Mon, 24 Dec 2001 09:01:15 -0500
R. DuFresne wrote:
. These 'external' IDS systems are best put in place to monitor the effectivness of the perimeter devices, as a last call to arms should something weasle it;s way past the perimeter.
I like to use the term "attack detection" to describe IDS technologies that are deployed outside of the security perimeter. "Intrusion detection" is when you've set your systems up where they will detect actualintrusions or illicit activities. After all, if it's outside the security perimeter
it's in "anything goes" land and it doesn't make sense to treat all the weird traffic as red alert material. Another thing a lot of folks don't understand when they set their IDS up outside the firewall is that they're still only getting a partial view of the universe of attacks being launched against them. Because of the presence of the firewall (hopefully, anyhow!!) whole types of potential attacks will never be recorded: is that SYN packet aimed at an internal HTTP server an attack, or a probe, or a legitimate query that went astray due to a bad link? You'll never know because the firewall blocks that traffic at the SYN packet and never lets it develop further. I'm guessing this issue will be addressed in the future by firewalls that redirect denied traffic to honeynet systems that interact with the Bad Guys and allow the IDS capability to analyze more fully developed attacks. And.... Since I've got you here... Happy holidays to all, from firewall-wizards! :) The list is now 4,274 readers (!!!) Average message volume is about 60%-75% spam (!!!) - this last week, for example, we got _12_ copies of the nigerian bank transfer scam sent at us. I guess we're going on 4 years, now? Anyhow, have a safe and joyous 2002! mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Intrusion Detection Systems, Best of breed?, (continued)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)
- Re: Intrusion Detection Systems, - Honeypots? R. DuFresne (Dec 28)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 28)
- Message not available
- Re: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 24)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 25)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? John Adams (Dec 26)