RE: Need help to choose a security policy

["CEDRIC CASSIN " <anginapectoris () caramail com>]

( Send failure so I send it again, few of you may have already received it but not everybody)

Thank you for your quick reponse.

Here is a quick summary of the device my company uses. 
IDS : ISS realsecure  (HIDS and NIDS) and CISCO 4235  (NIDS)
Firewall : Cisco Pix 525 or checkPoint
They are normally some robust devices.
 
< I don't think that trying to match your firewall accept rules is
< precisely the best move. Better configure only rules relevant to you
< architecture (for example, you might have only one type of web server,
< so disable all rules that deal with attacks to other types of web
< servers you don't have).

It seems to correspond with my point of view. For example, I see that SMTP
traffic is allowed, I look for all the 
signatures that check attack through this service and then make my choice
among these signatures depending 
on my network architecture ( OS, Software etc) . This will fit my needs
and decrease logs. Am I Right?

BUT...for example, I have a lots of alerts of SQL slammer Worms but there
is no accept rule on the firewall. So I 
know that the firewall will block them. It's a evidence for me that I shouldn't
pay attention to this attack. This  
attack will not go in the internal network, but is it interesting to keep
track of this as an information about 
possible intruders?
Should it be considered as noise like scan and so on ? ( too much data
to be manageable) Is it simply a scan 
attack so not necessarily against us and not really relevant ?


< Last but no least, if your IDS allows you to create custom rules,


I guess it's possible..

< then
< you should consider creating some that verify policy compliance. Should
 < your corporate web server start ftp connections to workstations in
your
< internal network? If not then you might as well forbid all these
< "suspicious" activities. Much better if you can apply positive
logic in
 <these rules (like in firewalls), for example, in snort you could create
< 'pass' rules for that which is allowed and then create some general
< 'alert' rules that will trigger when activity other than that permitted
< is detected. This will take you time and increase your rule database,
< but these are the kind of rules that when you see them on your report
< you know that there is something very bad going, they don't get obsolete
< so fast and the help catching unknown/new attacks/, viruses/worms
and
< the like (so they are worth implementing for critical servers).

It is a different way of tuning IDS , not only matching signatures with
attack but also anaIyse normal and 
anormal behaviour on the traffic.  Am I right ? I read some stuffs about
that. It seems to be quite hard.I don’t 
know if our IDS  handle this but I know that I can tune them with some
Snort like rules.


< hope this helps.
Thank you very much

Regards,

Cedric Cassin

Plus simple, plus fiable, plus rapide : découvrez le nouveau Caramail - http://www.caramail.lycos.fr


---------------------------------------------------------------------------

---------------------------------------------------------------------------