Firewall Wizards mailing list archives
thoughts on recent IDS discussions
From: firewall-witch () bigfoot com
Date: Fri, 20 Feb 1998 11:48:42 -0500
Hi, Like Rick Morrow I'm another lurker who wants to make a few comments. Please excuse any naivety. *** As said before, congratulations to all on the quality of discussion on this list. Its been very interesting and informative reading. *** I agree that "peer review" is the only way to go with security products. You can't wait for them to be broken into in a live scenario. Who would you rather exposed the vulnerabilities first - the white-hats or the black-hats? Unfortunately "security through obscurity" is not a reliable basis for a security policy, as I keep trying to convince my managers. Also being seen to understand and react to new security issues is a definite plus for any company, as shown by Cisco's relatively recent actions. Of course this looks good to the Internet "Security Community" rather than the average customer, but I'm presuming sufficient information trickles down. *** I won't go into specific software but Marcus's comments on logging unsuccessful attacks hinted at, what seems to me, an often ignored aspect of security :- DoS attacks on humans. Sysadmins tend to be over-worked by default, and unfortunately network security tends to be "something else" sysadmins do rather than being a specific job title. Therefore a massive amount of alarms can swamp a Sysadmin to the point where she will ignore future warnings. So something else to consider with IDS's, and firewalls for that matter, is the way that issues are reported. Unfortunately I haven't had time to do more than scan the CIDF spec but humans are listed amongst the A-boxes. The weaknesses explored in the SNI paper show that completely fake attacks could be presented to an IDS, so the Sysadmin will spend time examining vunerabilities to, and protecting against, non-existant attacks. *** Having said that, the place of IDS's is very important. I think the problem is, as Ptacek has stated, marketing departments are being over-zealous. Kurt Ziegler's signature states:- +++++++++++ AbirNet returns network control back to your company. SessionWall-3 provides you all the capabilities you need to fearlessly connect your business to the Internet and effectively manage your Intranet usage in a single easy to use affordable software product . See us at www.AbirNet.com +++++++++++ "fearlessly?" I like SessionWall-3, a lot, but I wouldn't protect the perimeter with it. IDS's are very useful for the "forensic and ballistic" part of network security, both during and after attempts. If identical attacks are being run against your network from multiple addresses, either the news is out about a particular weakness, or the latest hack has made its way around the #hack fraternity and its just your turn. For example in our case we do get some ( insert OS here ) related attacks but word has yet to get around that we're an ( insert OS vendor here ) site. However, while a firewall would (possibly) just block the attempts an IDS logging attacks would alert us to the fact that the standard ( insert OS here ) exploits, *and those exploits only*, are being used. Know your enemy - and know what they know of you. ( Having looked through my saved emails I see I'm basically seconding Panayiotes Psihoyios's comments above). Also the current IDS's have a place to prevent and detect the use of standard attacks by script kiddies and saboteurs on your internal networks. Unless you've got a rogue high-up in IT any potential internal hacker will be using known attacks, they therefore can be stopped, and logs used to effect immediate dismissal. This prevents having the "crunchy on the outside, soft on the inside" security policy, as stated by Paul Cardon. And with the added functionality of SessionWall-3 ( only product I can speak of ), if IDS's are sniffing anyway they can log network and internet use of employees. So if your machines start BSODing search through the logs for "winnuke". One final point - this message has been posted anonymously for various reasons. You're all presumably pretty dedicated to the security side of the industry and have decent budgets, and some of you are CEO's or equivalent. Unfortunately I do not have the budget or authority, and to speak honestly I need to disclose that there are weaknesses, even if I dare not be specific. My apologies.
Current thread:
- thoughts on recent IDS discussions firewall-witch (Feb 20)