Firewall Wizards mailing list archives
RE: RE: IDS (was: FW appliance comparison)
From: "Kendrick, Don" <Don.Kendrick () vita virginia gov>
Date: Wed, 25 Jan 2006 09:59:54 -0500
On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:
That's the main reason why I don't like IDSs. A default deny policy combined with "log everything" achieves just the same.
And On Tue, 24 Jan 2006, Patrick M. Hausen wrote:
I think that there's a place and a use for IDS - but if your network is
small enough that running log everything won't bog down your firewall(s), then - well - maybe they're not for you. Are we forgetting one of the main reasons I believe IDS are valuable (or was this point made earlier in the thread I and didn't catch it)? Being an old timer, "Defense in Depth" easily comes to mind. Your firewall is a device on the network right? As such, heaven forbid, it might get hacked. What will give you a clue if it does? Maybe an IDS that is specifically tuned to alert on traffic that should never happen? Borrowing from another current thread, let's say hopefully that you do not allow X-windows traffic in from the outside. Of course your firewall would block it and log it, but wouldn't it be nice to know if the firewall ever responded to a SYN with and SYN-ACK? I agree we don't need the IDS to tell us what we should already know from the firewall. And we might not need to know about the newest worm signature from an IDS. But I would sure be interested if I saw responses to any of these "bad" things or these "bad" things outbound. Goes back to "know your traffic." It's tough but it's the only way. Someone a long time ago said think of a firewall as the perimeter alarm and locks, think of IDS as motion detector. I think that is still valid. Don "Keep your arms and hands inside the car and enjoy your ride..." "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." - Gene Spafford ************************************************************************ ****** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ************************************************************************ ****** -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Cat Okita Sent: Tuesday, January 24, 2006 7:49 PM To: Patrick M. Hausen Cc: Ben Nagy; 'Paul D. Robertson'; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] RE: IDS (was: FW appliance comparison) On Tue, 24 Jan 2006, Patrick M. Hausen wrote:
On Tue, Jan 24, 2006 at 11:38:52AM +0700, Ben Nagy wrote:What's your preferred method for noticing this stuff? (I'm certainly not being sarcastic here)Your firewall doesn't trigger an alarm for every event that's denied by policy? That's the main reason why I don't like IDSs. A default deny policy combined with "log everything" achieves just the same.
*blink* You don't bog down your firewall to the point of being unuseable doing that?!? I think that there's a place and a use for IDS - but if your network is small enough that running log everything won't bog down your firewall(s), then - well - maybe they're not for you. cheers! ======================================================================== == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: RE: IDS (was: FW appliance comparison) Kendrick, Don (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 25)