Firewall Wizards mailing list archives
Re: FW appliance comparison - Seeking input for the forum
From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Tue, 24 Jan 2006 11:29:40 +0100 (CET)
On Sun, 22 Jan 2006, Devdas Bhagat wrote:
On 20/01/06 10:00 -0500, Paul D. Robertson wrote:
*snip*
Again, this assumes that your policy implementation allows attacks to traverse your infrastructure *or* that you're wasting the organization's time passing around reports about how many times NIMDA tried to attack your Solaris box.Things change. IDS help detect unexpected changes. Again, IMHO, an IDS also has a host based component which looks at (ab)normal statistics for host traffic. A sudden increase in traffic or decrease can be interesting events.
Can. Admitted. I can also mean that the holiday are over and people are back to work. You think of anomaly detection, don't you? But how solid is that art?
For instance, seeing traffic destined to port 25 from an unexpected host is a good event to trigger IDS events. Even when your firewall blocks this traffic, the log analysis of firewall logs and DHCP logs should catch potential malicious traffic and possible further investigation.
Why do I need the IDS for something like that? If an internal (external for that instance) is doing something funny and is blocked at my fire- wall, the firewall tells me. That is what logfiles are for. Why do I need an IDS to tell me what my firewall already told me? I found IDS pretty useful to locate misconfigured devices in networks. But that brings back the topic about the implemented policies and whether or not they are watched. Cheers, Chris Kronberg. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: IDS (was: FW appliance comparison), (continued)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 25)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 27)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Jan 26)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Christine Kronberg (Jan 24)
- Message not available
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 27)
- RE: FW appliance comparison - Seeking input for the forum lordchariot (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Anton Chuvakin (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Greg Spath (Jan 20)