RE: RE: IDS (was: FW appliance comparison)

["Kendrick, Don" <Don.Kendrick () vita virginia gov>]

On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
> That's the main reason why I don't like IDSs. A default deny policy 
> combined with "log everything" achieves just the same.

And

On Tue, 24 Jan 2006, Patrick M. Hausen wrote:
> I think that there's a place and a use for IDS - but if your network is
small enough that running log everything won't bog down your
firewall(s), then - well - maybe they're not for you.

Are we forgetting one of the main reasons I believe IDS are valuable (or
was this point made earlier in the thread I and didn't catch it)? Being
an old timer, "Defense in Depth" easily comes to mind. Your firewall is
a device on the network right?  As such, heaven forbid, it might get
hacked. What will give you a clue if it does?  

Maybe an IDS that is specifically tuned to alert on traffic that should
never happen? Borrowing from another current thread, let's say hopefully
that you do not allow X-windows traffic in from the outside. Of course
your firewall would block it and log it, but wouldn't it be nice to know
if the firewall ever responded to a SYN with and SYN-ACK?

I agree we don't need the IDS to tell us what we should already know
from the firewall. And we might not need to know about the newest worm
signature from an IDS. But I would sure be interested if I saw responses
to any of these "bad" things or these "bad" things outbound. Goes back
to "know your traffic."  It's tough but it's the only way.

Someone a long time ago said think of a firewall as the perimeter alarm
and locks, think of IDS as motion detector. I think that is still valid.

Don 
"Keep your arms and hands inside the car and enjoy your ride..." 
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living in a
cardboard box to someone living on a park bench." - Gene Spafford

************************************************************************
****** 
The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the intended
addressee is unauthorized. If you are not the intended recipient of this
message, any review, disclosure, copying, distribution, retention, or
any action taken or omitted to be taken in reliance on it is prohibited
and may be unlawful. If you are not the intended recipient, please reply
to or forward a copy of this message to the sender and delete the
message, any attachments, and any copies thereof from your system.
************************************************************************
****** 


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Cat
Okita
Sent: Tuesday, January 24, 2006 7:49 PM
To: Patrick M. Hausen
Cc: Ben Nagy; 'Paul D. Robertson'; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] RE: IDS (was: FW appliance comparison)

On Tue, 24 Jan 2006, Patrick M. Hausen wrote:
> On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
>
> > What's your preferred method for noticing this stuff? (I'm certainly 
> > not being sarcastic here)
>
> Your firewall doesn't trigger an alarm for every event that's denied 
> by policy?
>
> That's the main reason why I don't like IDSs. A default deny policy 
> combined with "log everything" achieves just the same.

*blink* You don't bog down your firewall to the point of being unuseable
doing that?!?

I think that there's a place and a use for IDS - but if your network is
small enough that running log everything won't bog down your
firewall(s), then - well - maybe they're not for you.

cheers!
========================================================================
==
"A cat spends her life conflicted between a deep, passionate and
profound desire for fish and an equally deep, passionate and profound
desire to avoid getting wet.  This is the defining metaphor of my life
right now."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards