Firewall Wizards mailing list archives
Re: IDS data collection _outside_ of a firewall
From: Dominique Brezinski <dom_brezinski () securecomputing com>
Date: Wed, 20 Jan 1999 13:47:40 -0800
At 10:33 PM 1/19/99 -0800, John Kozubik wrote:
Also, the comment on having ID sensors outside the firewall is also equally flawed.I must respectfully disagree. Please refer to: http://www.nswc.navy.mil/ISSEC/CID/
Notice the source of this information - DoD. As I mentioned in my post, the only organizations that have the resources necessary to implement a cyber threat detection (notice I did not use the term "intrusion detection," because ID outside the firewall will alert you of threats you may already be stopping at the firewall, where as ID inside the firewall will alert you of actual intrusions) are DoD. Very few commercial companies (I have heard that a few very large and profitable technology companies do have counter-intel groups, but so far no references are verifiable) have the resources or expertise to respond to threats that don't lead to actual intrusions. The sentence following the quoted sentence stated this.
for a detailed explanation on two tried and true methods of IDS - Network Flight Recorder, and the STEP system. Both methods call for the data collection portion of the IDS to sit outside of the firewall, in the DMZ.
Because that customer is military (reason stated later).
It should be quite clear to anyone familiar with the subject of IDS that the collection station is _necessarily_ outside of the firewall.
If, and only if, the organization has the resources to analyze the detected threats (not intrusions) and use the information appropriately. An overwhelming number of commercial companies do not. For instance, analyzing the data to determine if competitors are actively attempting to gather information from your computer systems and making that analysis available to senior management (competitive intelligence and counter-intelligence operations) would be an appropriate use of external ID sensors. Network ID does not actually inform one of intrusions, rather just the potential of intrusion, so it is best for this kind of data gathering. Very few US companies have competitive intelligence groups, and even less have counter-intelligence groups. Now, I could be wrong in my estimations of how many companies have these capabilities, but my experiences do not lead to believe that is the case. However, I am looking for verifiable data to the contrary.
For instance, it would be somewhat difficult to detect netbios scans if you are watching with a machine that is inside a firewall that is blocking 135, 137, etc. (you are blocking those, aren't you? :)
So, who cares if NetBIOS scans are occurring if the firewall of perimeter router is blocking them? Is your organization really going to dedicate the resources to responding to a neutralized threat? What are the benefits to responding? With a well developed intelligence capability such information could be useful, but such capabilities are very rare outside of the DoD or equivalents. Dominique Brezinski CISSP (206) 898-8254 Secure Computing http://www.securecomputing.com
Current thread:
- IDS data collection _outside_ of a firewall John Kozubik (Jan 20)
- Re: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 21)
- Re: IDS data collection _outside_ of a firewall roger nebel (Jan 26)
- <Possible follow-ups>
- RE: IDS data collection _outside_ of a firewall Burden, James (Jan 27)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 27)
- RE: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 28)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 28)
- Re: IDS data collection _outside_ of a firewall John Kozubik (Jan 28)
- Re: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 21)