Firewall Wizards mailing list archives
RE: IDS (was: FW appliance comparison)
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 24 Jan 2006 11:38:52 +0700
Hi Paul, Devdas!
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D. Robertson
[...] [Devdas]
Things change. IDS help detect unexpected changes.
[...]
For instance, seeing traffic destined to port 25 from an unexpected host is a good event to trigger IDS events. Even when your firewall blocks this traffic, the log analysis of firewall logs and DHCP logs should catch potential malicious traffic and possible further investigation.
This sounds sensible to me. Same for any protocol that detects as TFTP, IRC from unauthorised hosts etc etc. [Paul]
If you mean "unexpected internal host" then again, I'll say that there's likey been a larger policy or implementation failure. It doesn't take on-the-wire sniffing to see something new trying to relay through the relay host on my network.
What's your preferred method for noticing this stuff? (I'm certainly not being sarcastic here) If an internal host is trying to reach port 25 on an external host (or even a non-mailserver on the inside) then how do you suggest that should be detected? The firewall deny logs will catch the outbound traffic, but now we're talking log analysis tools or SIM products to pull the data. What about the internal traffic from trusted host -> trusted host? [...]
Done right, a good firewall and IDS combination should not need to be updated very often.That's certainly a different line than most IDS vendors or IDS proponents use. Normally I see "the new IDS signature can detect that!" bandied about.
Yeah, it probably _is_ a different line, but it doesn't mean it's not a sensible one. I saw a cool thing once, with a guy using MRTG as his 'IDS'. He monitored the network but didn't have control over the servers (academics did *shudder*). Every time one of the servers would be owned, the outbound traffic would spike, because people used them to serve warez. So, any time he saw an MRTG spike he'd go check out the server, work out why it got owned and tell people to fix it up. Dumb security? Hell yeah, the owners should have just kept the things hardened, but it's still a great illustration of the principle. Even with no attack signatures at all, couldn't an IDS still be useful? Perhaps even more useful, since it would cut down the noise... I think there are actually products out there that do this using connection tuples to construct some sort of graph and using some wacky fuzzy isomorphic analysis, but they probably don't call themselves IDS. I think I'm with Devdas - personally, the only time I'd deploy an IDS is with all the attack signatures turned off and rules set up to flag unexpected source / dest connections. All the rest seems to be a product of the human quest for useless knowledge. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: FW appliance comparison - Seeking input for the forum, (continued)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum david_harris (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum sai (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 23)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 23)
- RE: IDS (was: FW appliance comparison) Ben Nagy (Jan 24)
- Re: RE: IDS Chuck Swiger (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Patrick M. Hausen (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) ArkanoiD (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Joseph S D Yao (Jan 25)