RE: FW appliance comparison - Seeking input for the forum

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum

> Why would you want a signature based IDS at all? They don't work.
> Period. Enumerating badness is a silly idea.

Sure they do.  The premise may be flawed, but the technology works, even if
it falls into the "better than nothing" category.  They're smoke detectors
for a small subset of possible fires.  Using one is still better than
letting the house burn to the ground each and every time there's a fire.


> Develop a policy that explicitely defines every kind of network traffic
that is to be 
> allowed to pass your perimeter. Application X using a "propriatary
protocol"? Sorry, not 
> allowed.

See my previous post.  Just because you enforce HTTP over TCP/80 with a
proxy doesn't mean you're keeping all of the garbage out... or in.  Not to
mention that there are plenty of standard, known protocols out there (think
SQL protocols) that lack a good proxy to manage the actual behavior of the
connections that cross them.


> Then use a firewall that only passes what is explicitly allowed and raises
an alarm for 
> everything that isn't.
> *Boom* as Steve Jobs would probably put it. Instant heuristic proactive
unkown and future 
> attack aware IDS.

And without packet payload data, those alerts border on useless.  Not to
mention that the real bad guys are tunneling across the allowed ports while
you sleep.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards