IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 12 Mar 2005 01:11:24 -0500
On Fri, 11 Mar 2005 10:14:23 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:
Many IDS vendors are integrating Firewalls into their product, just like Firewall vendors are trying to catch up on the Layer 7 analysis. Both types of technologies are coming tgether to some degree.
I understand that market pressures and misguided research organizations are forcing access control and audit functions to converge. This is a shame. I wrote an article called "Considering Convergence?" that recommends keeping access control and audit separate. [0] Smaller organizations lacking the resources to implement defense in depth are better off buying a single "do-it-all" appliance, if the alternative is implementing little or no security. Larger organizations with the resources to field multiple technologies, follow coordinated policies, and train security staff will be more secure with distinct firewalls and intrusion detection systems.
What I'm getting at is that Defense in Depth still applies, even though these two technologies seem to be coming together rather quickly.
I agree. Any device making an access control decision is a firewall. This includes router ACLs, layer 3-4 "firewalls," and "IPSs." Responsibility for network audit should remain with the IDS. Ross Anderson's exceptional book 'Security Engineering' recommends avoiding "convergence" when he talks about bookkeeping and fraud: "With functional separation of duties, two or more different staff members act on a transaction at different points in its path. The classic example is corporate purchasing. A manager makes a purchase decision and tells the purchasing department; a clerk there writes a purchase order; the store clerk records the arrival of goods; and invoice arrives at accounts; the accounts clerk correlates it with the purchase order and the store receipt, and cuts a check; the accounts manager signs the check. The manager now gets a debit on her monthly statement for that internal account; her boss reviews the accounts to make sure the division's profit targets are likely to be met; the internal audit department can descend at any time to audit the division's books; and when the external auditors come in once a year, they will check the books of a randomly selected sample of departments." [1] The current market path is collapsing all of these decisions and responsibilities into a single point; in business, the result is massive undetected fraud. An attack bypassing a "converged appliance" will be unfiltered, undetected, and destructive. Incident response will be the only remaining strategy, and the responders will have little or no evidence to analyze and act upon. Sincerely, Richard [0] http://www.taosecurity.com/publications.html [1] 'Security Engineering' by Ross Anderson (New York, NY: Wiley, 2001), p. 190. http://www.cl.cam.ac.uk/users/rja14/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: How to choose an IDS/FW MSS provider, (continued)
- RE: How to choose an IDS/FW MSS provider Randy Golly (Mar 09)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Kevin (Mar 11)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)