Re: FW appliance comparison - Seeking input for the forum

[Christine Kronberg <Christine_Kronberg () genua de>]

On Sun, 22 Jan 2006, Devdas Bhagat wrote:
> On 20/01/06 10:00 -0500, Paul D. Robertson wrote:

*snip*
> > Again, this assumes that your policy implementation allows attacks to
> > traverse your infrastructure *or* that you're wasting the organization's
> > time passing around reports about how many times NIMDA tried to attack
> > your Solaris box.
> Things change. IDS help detect unexpected changes. Again, IMHO, an IDS
> also has a host based component which looks at (ab)normal statistics for
> host traffic. A sudden increase in traffic or decrease can be
> interesting events.

  Can. Admitted. I can also mean that the holiday are over and people
  are back to work. You think of anomaly detection, don't you? But
  how solid is that art?

> For instance, seeing traffic destined to port 25 from an unexpected host
> is a good event to trigger IDS events. Even when your firewall blocks
> this traffic, the log analysis of firewall logs and DHCP logs should
> catch potential malicious traffic and possible further investigation.

  Why do I need the IDS for something like that? If an internal (external
  for that instance) is doing something funny and is blocked at my fire-
  wall, the firewall tells me. That is what logfiles are for. Why do I
  need an IDS to tell me what my firewall already told me?

  I found IDS pretty useful to locate misconfigured devices in networks.
  But that brings back the topic about the implemented policies and
  whether or not they are watched.

  Cheers,

  Chris Kronberg.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards