Firewall Wizards mailing list archives
Re: Intrusion Detection
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Mon, 20 Apr 1998 18:29:10 -0400
Mark Horn [ Net Ops ] wrote:
Can't this be done with two firewalls in series? Both firewalls would have the same rule set, with one exception. The outer firewall has a default deny rule that simply drops stuff. The inner firewall, has a default deny rule that drops stuff, and sets off an alarm to the administrators. If the administrators ever get an alarm from the inner firewall, they know that the outer firewall is permitting things it shouldn't, or that the rulesets are out of sync. This could even be done, crudely, with a router as the outer firewall.
That sounds like it'd work great. Several times I've suggested that folks do exactly that kind of thing, usually relying on screening/logging on routers behind the firewall, to detect apparent policy mismatches between what the firewall should be allowing and what it is allowing.
This is not, by any means, perfect. But isn't this a rudimentary policy based IDS?
Sure is!!! Based on some discussions I've had offline I'm going to stop using the "policy" word around IDS' and call them "burglar alarms" instead. It really *IS* a burglar alarm model: you know what shouldn't happen and you look for and alarm for it. That's much more of a true "intrusion detection" than an "attack detection" because the burglar alarm will not fire unless there's a clear violation of what you expect to be seeing. The effectiveness of burglar alarms will be bounded at the top end by the user's ability to clearly state what should and should not be going on within their network. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Intrusion Detection, (continued)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection darrenr (Apr 15)
- Re: Intrusion Detection Tina Bird (Apr 15)
- RE: Intrusion Detection Marcus J. Ranum (Apr 15)