Firewall Wizards mailing list archives
RE: IDS data collection _outside_ of a firewall
From: "Burden, James" <JBurden () caiso com>
Date: Tue, 26 Jan 1999 20:21:36 -0800
1) The word "Quality" seems to be gathering dust. Metrics may help prove that your security architecture/policy/products are worth the investment. Number of attacks ------------- = Security justification Number of breaches 2) Other information may be derived from an IDS on the outside such as; is the site/company being tested by "script kiddies" or a higher life form... 3) The world is growing smaller and smaller by the day. Many organizations operate alone in cyberspace. They may communicate with another entity, but do not share security resources as a single unit. What seems to be the advantage of the military and government over the commercial world is a command tiered infrastructure. This allows the sharing of resources, the necessary communication protocols, and the trust that is required between entities (within limits of course). However, if a group of corporations banded together to form a "Neighborhood Watch (NW)" program for the outside of the firewalls then this could be mutually beneficial to all parties involved (Utopia, burn me at the stake ;-). Then groups of NW sharing info with other NW, or Law Enforcement, CERT, CIAC... It may be true that the IDS of today is not ready to share this type of information, but who knows of the future. 4) A complete repository of all the attacks tried against the outside of the firewall may provide insights into how the attacker found the hole. An IDS on the inside of a firewall will only show the successful attack. 5) If the firewall is compromised, then you may not have enough forensics to solve this mystery. Of course there are caveats such as IDS on the firewall, or the firewall creating a second log (to CD-ROM), or psychics... Just some thoughts, Jim James L. Burden, Security Engineer and Architect California Independent System Operator 41DF 0E4C 26E0 2FD3 8C81 A260 5C40 280E B4AE 7420 ____________________________________________ To Teach is to Learn - Aaron Nimzovich ____________________________________________
-----Original Message----- From: roger nebel [mailto:roger () homecom com] Sent: Thursday, January 21, 1999 8:06 PM To: Dominique Brezinski Cc: John Kozubik; firewall-wizards () nfr net Subject: Re: IDS data collection _outside_ of a firewall from my experience with dod and other us agencies, and the largest commercial entities (think fortune 10), it's clear to me that dominique is dead on correct. who cares how many people stopped at the red light? they stopped, end of story, see ya. it's the jerks who ran it that you are interested in ... as one very large retail customer once told me "what could I possibly care about that which does not help or hinder us selling socks?" --roger Dominique Brezinski wrote:At 10:33 PM 1/19/99 -0800, John Kozubik wrote:Also, the comment on having ID sensors outside thefirewall is alsoequally flawed.I must respectfully disagree. Please refer to: http://www.nswc.navy.mil/ISSEC/CID/Notice the source of this information - DoD. As Imentioned in my post,the only organizations that have the resources necessary toimplement acyber threat detection (notice I did not use the term "intrusion detection," ... are DoD ...[snip]
Current thread:
- IDS data collection _outside_ of a firewall John Kozubik (Jan 20)
- Re: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 21)
- Re: IDS data collection _outside_ of a firewall roger nebel (Jan 26)
- <Possible follow-ups>
- RE: IDS data collection _outside_ of a firewall Burden, James (Jan 27)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 27)
- RE: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 28)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 28)
- Re: IDS data collection _outside_ of a firewall John Kozubik (Jan 28)
- Re: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 21)