IDS/IPS and LOGS

["Hawkins, Michael" <MHawkins () TULLIB COM>]

A few cents on IDS/IPS and Logs:

IDS is great at identifying which previously discovered and quantified
nasty behavior is happening on your network (where your network is
either inside, outside or DMZ). But it doesn't give you much when you
encounter something new and unknown (day zero). And there are more of
these day zero attacks coming along all the time.

IPS is also great at blocking many Internet attacks but it has limited
use on the outside (your Internet attachment) because if anyone wises up
to the fact that you have an IPS in place then a spoofed attack could
easily turn your IPS into a big denial of service attack. IPS is best
used inside your network where you know that bad traffic is always bad
traffic and it isn't a spoofed DoS attack.

On the subject of log analysis:

My guess is that most of the Worlds firewalls and IDS/IPS only have half
of their capabilities ever put into use. Heck, I just realized that one
of our firewall pairs has been running for two years without the onboard
encryption hardware turned on! But I digress. The point is this, every
day you as the security practitioner should be checking your firewall
and IDS/IPS logs and developing another rule or two to add that will
reduce logging for traffic you know is not important. Then add that rule
into your change control process, document it and implement it. Now
you're one step closer to a log that actually has only the bad stuff in
it. Now do this every day and within a very short time you will be
looking at smaller logs that actually mean something.

I have been looking at SEM for some time and they all lack one important
piece - a simple, easy interface for developing and deploying filters.

But, the biggest catch to all of this is that you actually must have a
real security policy. But, the policy must live and breathe and grow in
such a way as to not impact the business - much. It must evolve year on
year, each time bringing more controls and closer scrutiny to all paths
and byways in your network. Just make sure you have well integrated
systems and processes so that you don't become the choke point for every
single infrastructure request that happens within your company.

Mike Hawkins

New York Office: 212-208-3888

White Plains Office: 914-729-2790

Mobile: 917-887-3614

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Adrian
Grigorof
Sent: Thursday, February 02, 2006 11:01 PM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] parsing logs ultra-fast inline

What do we want to know?

http://www.eventid.net/firewalls/MostPopularReports.asp

The compilation of the most popular reports that we would like to see
after
a firewall (or other similar device) log analysis - from a thread
initiated
by mjr in the Log Analysis mailing list.

I noticed that there is a big emphasis on log parsing while there should
be
more discussions about the interpretation of the log parsing results.
I've
worked with logs from quite a few types of firewalls but parsing them
has
never been the problem. Yes, is a tedious, frustrating job but a rather
easy
one in comparison with the task of "programmatically" interpreting their
meaning. Take Tina's VPN example - how many types of log entries you
would
expect from a VPN concentrator? From my experience, not more than 20 but
let's assume there are 50. Give a sample from each entry to a Perl
programmer and you will have the parsing script done in a day or two. So
now
you have the data, but what are doing with it? What is relevant to a VPN
administrator? Even a seasoned security professional would appreciate
some
"conclusions" that a reporting tool would provide from the data in the
logs.

That being said, I agree that when you have to analyze 100 GB worth of
logs,
parsing them becomes a (big) problem and you need to optimize as much as
possible. Actually, a "mere" 1 GB log is a show stopper for many
analyzers
on the market.

Regards,

Adrian Grigorof
Altair Technologies
www.altairtech.ca
www.eventid.net


----- Original Message ----- 
From: "Tina Bird" <tbird () precision-guesswork com>
To: "'Marcus J. Ranum'" <mjr () ranum com>;
<firewall-wizards () honor icsalabs com>
Sent: Thursday, February 02, 2006 13:21
Subject: RE: [fw-wiz] parsing logs ultra-fast inline


marcus has been sufficiently saying what i do that i've not felt obliged
to
participate in this thread, until finally:

> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr () ranum com]
> Sent: Wednesday, February 01, 2006 1:04 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] parsing logs ultra-fast inline

[...]

WHAT DO YOU WANT TO KNOW?

so f'r instance, imagine i've landed in a new job at a company without a
centralized logging infrastructure. the network is the usual
conglomeration
of file servers, mail, web stuff, firewalls, routers, remote access. and
databases, of course. and some custom code. i'd go MAD if i tried to
build
the uber-logging facility all in one go.

[...]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not 
waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; 
you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of 
the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage 
caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards