Firewall Wizards mailing list archives
Re: Intrusion Prevention Firewall
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 04 Apr 2002 13:30:57 -0800
Vern Paxson wrote:
Interesting! I certainly believe that it would lower the attack rate; but so would unplugging the network cable :) The key question is the false positive rate. Is it the case that your Bro IDS scripts are not generating false positives? Or that your users don't mind so much if a legitimate session gets killed? Or a compromise, where the proactive session-killing is only connected to IDS scripts that have particularly low false positives?But beware: as soon as you hook your IDS to an access control mechanism, so that when the IDS detects something it closes off access, what you have just done is build a flakey access control policy. If you thought the costs of managing IDSs was high, wait until you try this :)The counterpoint: this can be very powerful, depending on your IDS. At LBL, Bro drops various forms of hostile activity automatically, and we find that it makes a *big* difference in lowering the break-in rate (which we know because we see how the rate goes up when the reactive system is turned off).
Thanks, Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Intrusion Prevention Firewall, (continued)
- RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
- Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
- RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
- Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 08)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 17)